Cryptographic methods, apparatus and systems for storage media electronic rights management in closed and connected appliances

ABSTRACT

A rights management arrangement for storage media such as optical digital video disks (DVDs, also called digital versatile disks) provides adequate copy protection in a limited, inexpensive mass-producible, low-capability platform such as a dedicated home consumer disk player and also provides enhanced, more flexible security techniques and methods when the same media are used with platforms having higher security capabilities. A control object (or set) defines plural rights management rules for instance, price for performance or rules governing redistribution. Low capability platforms may enable only a subset of the control rules such as controls on copying or marking of played material. Higher capability platforms may enable all (or different subsets) of the rules. Cryptographically strong security is provided by encrypting at least some of the information carried by the media and enabling decryption based on the control set and/or other limitations. A secure “software container” can be used to protectively encapsulate (e.g., by cryptographic techniques) various digital property content (e.g., audio, video, game, etc.) and control object (i.e., set of rules) information. A standardized container format is provided for general use on/with various mediums and platforms. In addition, a special purpose container may be provided for DVD medium and appliances (e.g., recorders, players, etc.) that contains DVD program content (digital property) and DVD medium specific rules. The techniques, systems and methods disclosed herein are capable of achieving compatibility with other protection standards, such as for example, CGMA and Matsushita data protection standards adopted for DVDs. Cooperative rights management may also be provided, where plural networked rights management arrangements collectively control a rights management event on one or more of such arrangements.

CROSS-REFERENCE TO RELATED APPLICATIONS AND PATENTS

This application is a continuation application of U.S. patentapplication Ser. No. 11/429,385, filed May 4, 2006, which is acontinuation from U.S. patent application Ser. No. 08/848,077, filed May15, 1997, now abandoned, which claims priority from U.S. ProvisionalApplication No. 60/037,931, filed Feb. 14, 1997, U.S. ProvisionalApplication No. 60/018,132, filed May 22, 1996, and U.S. ProvisionalApplication No. 60/017,722, filed May 15, 1996.

The specifications and drawings of the following prior commonly assignedpublished patent applications are incorporated by reference into thispatent specification:

U.S. Pat. No. 4,827,508 entitled “Database Usage Metering and ProtectionSystem and Method” dated May 2, 1989;

U.S. Pat. No. 4,977,594 entitled “Database Usage Metering and ProtectionSystem and Method” dated Dec. 11, 1990;

U.S. Pat. No. 5,050,213 entitled “Database Usage Metering and ProtectionSystem and Method” dated Sep. 17, 1991;

U.S. Pat. No. 5,410,598 entitled “Database Usage Metering and ProtectionSystem and Method” dated Apr. 25, 1995;

European Patent No. EP329681 entitled “Database Usage Metering andProtection System and Method” dated Jan. 17, 1996;

PCT Publication No. WO 96/27155 dated 6 Sep. 1996 entitled “Systems AndMethods For Secure Transaction Management And Electronic RightsProtection”, which is based on PCT application no. PCT/US96/02303 filed13 Feb. 1996 and U.S. patent application Ser. No. 08/388,107 of Ginteret al. filed on Feb. 13, 1995, now abandoned (hereinafter “Ginter etal”);

PCT Publication No. WO 98/10381 dated Mar. 12, 1998 entitled “TrustedInfrastructure Support Systems, Methods And Techniques For SecureElectronic Commerce, Electronic Transactions, Commerce Process ControlAnd Automation, Distributed Computing, And Rights Management,” which isbased on PCT Application No. PCT/US96/14262 filed 4 Sep. 1996 and whichcorresponds to U.S. patent application Ser. No. 08/699,712 of Ginter etal. filed on Aug. 12, 1996, now abandoned (hereinafter “Shear et al.”);

PCT Publication No. WO 97/43761 dated Nov. 20, 1997 entitled“Cryptographic Methods, Apparatus and Systems for Storage MediaElectronic Rights Management in Closed and Connected Appliances,” whichis based on PCT Application No. PCT/US97/08192 filed May 15, 1997 andwhich corresponds to U.S. patent application Ser. No. 08/689,606 of VanWie and Weber filed on Aug. 12, 1996 entitled “Steganographic TechniquesFor Securely Delivering Electronic Digital Rights Management ControlInformation Over Insecure Communications Channels,” now U.S. Pat. No.5,943,422 (hereinafter “Van Wie and Weber”); and

U.S. patent application Ser. No. 08/689,754 entitled “Systems andMethods Using Cryptography To Protect Secure Computing Environments,” ofShear, Sibert and Van Wie filed on Aug. 12, 1996, now U.S. Pat. No.6,157,721 issued Dec. 5, 2000 (hereinafter “Sibert and Van Wie”).

FIELD OF THE INVENTION

This invention relates to information protection techniques usingcryptography, and more particularly to techniques using cryptography formanaging rights to information stored on portable media—one examplebeing optical media such as Digital Video Disks (also known as “DigitalVersatile Disks” and/or “DVDs”). This invention also relates toinformation protection and rights management techniques havingselectable applicability depending upon, for example, the resources ofthe device being used by the consumer (e.g., personal computer orstandalone player), other attributes of the device (such as whether thedevice can be and/or typically is connected to an information network(“connected” versus “unconnected”)), and available rights. Thisinvention further relates, in part, to cooperative rightsmanagement—where plural networked rights management arrangementscollectively control a rights management event on one or more of sucharrangements. Further, important aspects of this invention can beemployed in rights management for electronic information made availablethrough broadcast and/or network downloads and/or use of non-portablestorage media, either independent of, or in combination with portablemedia.

BACKGROUND OF THE INVENTION

The entertainment industry has been transformed by the pervasiveness ofhome consumer electronic devices that can play video and/or audio frompre-recorded media. This transformation began in the early 1900s withthe invention of the phonograph—which for the first time allowed aconsumer to listen to his or her favorite band, orchestra or singer inhis or her home whenever he or she wishes. The availability ofinexpensive video cassette recorders/players beginning in the early1980s brought about a profound revolution in the movie and broadcastindustries, creating an entirely new home consumer market for films,documentaries, music videos, exercise videos, etc.

The entertainment industry has long searched for optimal media fordistributing content to home consumers. The original phonographcylinders distributed by Thomas Edison and other phonograph pioneers hadthe advantage that they were difficult to copy, but suffered fromvarious disadvantages such as high manufacturing costs, low resistanceto breakage, very limited playback time, relatively low playbackquality, and susceptibility to damage from wear, scratching or melting.Later-developed wax and vinyl disks could hold more music material butsuffered from many of the same disadvantages. Magnetic tapes, on theother hand, could be manufactured very inexpensively and could hold alarge amount of program material (e.g., 2, 4 or even 6 hours of videoand/or audio). Such magnetic tapes could reproduce program material atrelatively high quality, and were not as susceptible to damage orwearing out. However, despite the many clear advantages that magnetictape provides over other media, the entertainment industry has neverregarded it as an ideal or optimum medium because of its greatsusceptibility to copying.

Magnetic tape has the very flexible characteristic that it can berelatively easily recorded on. Indeed, the process for recording amagnetic tape is nearly as straightforward as that required for playingback pre-recorded content. Because of the relative ease by whichmagnetic tape can be recorded, home consumer magnetic tape equipmentmanufacturers have historically provided dual mode equipment that canboth record and play back magnetic tapes. Thus, home audio and videotape players have traditionally had a “record” button that allows aconsumer to record his or her own program material on a blank(un-recorded) magnetic tape. While this recording ability has givenconsumers additional flexibility (e.g., the ability to record a child'sfirst words for posterity, and the ability to capture afternoon soapoperas for evening viewing), it has unfortunately also been thefoundation of an illegal multi-billion dollar content pirating industrythat produces millions of illegal, counterfeit copies every year. Thisillegal pirating operation—which is international in scope—leeches hugeamounts of revenue every year from the world's major entertainmentcontent producers. The entertainment industry must pass along theselosses to honest consumers—resulting in higher box office prices, andhigher video and audio tape sales and rental prices.

In the mid 1980s, the audio entertainment industry developed the opticalcompact disk as an answer to some of these problems. The optical compactdisk—a thin, silvery plastic platter a few inches in diameter—can holdan hour or more of music or other audio programming in digital form.Such disks were later also used for computer data. The disk can bemanufactured very inexpensively, and provides extremely high qualityplayback that is resistant to noise because of the digital techniquesused to record and recover the information. Because the optical disk canbe made from plastic, it is light weight, virtually unbreakable, andhighly resistant to damage from normal consumer handling (unlike theprior vinyl records that were easily scratched or worn down even byproperly functioning phonographs). And, because recording on an opticaldisk is, so far, significantly more difficult than playing back anoptical disk, home consumer equipment providing both recording andplayback capabilities is unlikely, in the near future, to be ascost-effective as play-only equipment—greatly reducing the potential forillicit copying. Because of these overwhelming advantages, the musicindustry has rapidly embraced the new digital compact disktechnology—virtually replacing older audio vinyl disk media within thespace of a few short years.

Indeed, the threat of widespread and easy unauthorized copying in theabsence of rights management technologies apparently has been animportant contributing factor to the demise of digital audio tape (DAT)as a media for music distribution and, more importantly, home audiorecording. Rightsholders in recorded music vigorously opposed thewidespread commercialization of inexpensive DAT technology that lackedrights management capabilities since the quality of the digitalrecording was completely faithful to the digital source on, for example,music CDs. Of course, the lack of rights management was not the onlyfactor at work, since compared with optical media, tape format maderandom access difficult, for example, playing songs out of sequence.

The video entertainment industry is on the verge of a revolution similarto that wrought by music CDs based on movies in digital formatdistributed on high capacity read-only optical media. For example,digital optical disk technology has advanced to the point where it isnow possible to digitally record, among other things, a full lengthmotion picture (plus sound) on one side of a 5″ plastic optical disk.This same optical disk can accommodate multiple high-quality digitalaudio channels (e.g., to record multi-channel “sensurround” sound forhome theaters and/or to record film dialog in multiple differentlanguages on the same disk). This same technology makes it possible toaccess each individual frame or image of a movie for still imagereproduction or—even more exciting—to provide an unprecedented “randomaccess” playback capability that has never before existed in homeconsumer equipment. This “random access” playback could be used, forexample, to delete violence, foul language or nudity at time of playbackso that parents could select a “PG” playback version of an “R” ratedfilm at the press of a button. The “random access” capability also hasexciting possibilities in terms of allowing viewers to interact with thepre-recorded content (e.g., allowing a health enthusiast to select onlythose portions of an exercise video helpful to a particular day'sworkout). See, for example, “Applications Requirements for InnovativeVideo Programming,” DVD Conference Proceedings (Interactive MultimediaAssociation, 19-20 Oct. 1995, Sheraton Universal Hotel, Universal City,Calif.).

Non-limiting examples of the DVD family of optical media include:

-   -   DVD (Digital Video Disk, Digital Versatile Disk), a non-limiting        example of which includes consumer appliances that play movies        recorded on DVD disks;    -   DVD-ROM (DVD-Read Only Memory), a non-limiting example of which        includes a DVD read-only drive and disk connected to a computer        or other appliance;    -   DVD-RAM (DVD Random Access Memory), a non-limiting example of        which includes a read/write drive and optical media in, for        example, consumer appliances for home recording and in a        computer or other appliance for the broadest range of specific        applications; and    -   Any other high capacity optical media presently known or        unknown.

“DVDs” are, of course, not limited to use with movies. Like CDs, theymay also be used for other kinds of information, for example:

-   -   sound recordings    -   software    -   databases    -   games    -   karaoke    -   multimedia    -   distance learning    -   documentation    -   policies and manuals    -   any kind of digital data or other information    -   any combination of kinds of digital data or other information    -   any other uses presently known or unknown.

The broad range of DVD uses presents a technical challenge: how can theinformation content distributed on such disks, which might be any kindor combination of video, sound, or other data or information broadlyspeaking, be adequately protected while preserving or even maximizingconsumer flexibility? One widely proposed requirement for the newtechnology (mainly within the context of video), is, to the extentcopying is permitted at all, to either: (a) allow a consumer to make afirst generation copy of the program content for their own use, butprevent the consumer from making “copies of copies”, ormulti-generational copies of a given property (thus keeping honestpeople honest); or (b) to allow unlimited copying for those propertiesthat rightsholders do not wish to protect against copying, or whichconsumers have made themselves.

However, providing only such simplistic and limited copy protection in anon-extensible manner may turn out to be extremely shortsighted—sincemore sophisticated protection and/or rights management objectives (e.g.,more robust and selective application of copy protection and otherprotection techniques, enablement of pay-per-view models, the ability ofthe consumer to make use of enhanced functionality such as extractingmaterial or interactivity upon paying extra charges, and receivingcredit for redistribution, to name a few) could be very useful now or inthe future. Moreover, in optimally approaching protection and rightsmanagement objectives, it is extremely useful to take differing businessopportunities and threats into account that may relate to informationdelivered via DVD media, for example, depending upon available resourcesof the device and/or whether the device is connected or unconnected.

More sophisticated rights management capabilities will also allowstudios and others who have rights in movies and/or sound recordings tobetter manage these important assets, in one example, to allowauthorized parties to repurpose pieces of digital film, video and/oraudio, whether specific and/or arbitrary pieces, to create derivativeworks, multimedia games, in one non-limiting example. Solutions proposedto date for protecting DVD content have generally focused solely onlimited copy protection objectives and have failed to adequately addressor even recognize more sophisticated rights management objectives andrequirements. More specifically, one copy protection scheme for theinitial generation of DVD appliances and media is based on an encryptionmethod developed initially by Matsushita and the simple CGMA controlcodes that indicate permitted copying: a one-generation copy, no copies,or unlimited copying.

SUMMARY OF THE INVENTIONS

Comprehensive solutions for protecting and managing information insystems that incorporate high capacity optical media such as DVDrequire, among other things, methods and systems that address two broadsets of problems: (a) digital to analog conversion (and vice versa); and(b) the use of such optical media in both connected and unconnectedenvironments. The inventions disclosed herein address these and otherproblems. For example, in the context of analog to digital conversion(and vice versa), it is contemplated that, in accordance with thepresent inventions, at least some of the information used to protectproperties and/or describe rights management and/or control informationin digital form could also be carried along with the analog signal.Devices that convert from one format and/or medium to another can, forexample, incorporate some or all of the control and identifyinginformation in the new context(s), or at least not actively delete suchinformation during the conversion process. In addition, the presentinventions provide control, rights management and/or identificationsolutions for the digital realm generally, and also critically importanttechnologies that can be implemented in consumer appliances, computers,and other devices. One objective of the inventions is to providepowerful rights management techniques that are useful in both theconsumer electronics and computer technology markets, and that alsoenable future evolution of technical capabilities and business models.Another non-limiting objective is to provide a comprehensive control,rights management and/or identification solution that remainscompatible, where possible, with existing industry standards for limitedfunction copy protection and for encryption.

The present inventions provide rights management and protectiontechniques that fully satisfy the limited copy protection objectivescurrently being voiced by the entertainment industry for movies whilealso flexibly and extensibly accommodating a wide range of moresophisticated rights management options and capabilities.

Some important aspects of the present inventions (that are more fullydiscussed elsewhere in this application) include:

-   -   Selection of control information associated with information        recorded on DVD media (for example, rules and usage consequence        control information, that comprise non-limiting example elements        of a Virtual Distribution Environment (VDE)) that is based at        least in part on class of appliance, for example, type of        appliance, available resources and/or rights;    -   Enabling such selected control information to be, at least in        part, a subset of control information used on other appliances        and/or classes of appliance, or completely different control        information;    -   Protecting information output from a DVD device, such as        applying rights management techniques disclosed in Ginter et al.        and the present application to the signals transmitted using an        IEEE 1394 port (or other serial interface) on a DVD player;    -   Creation of protected digital content based on an analog source;    -   Reflecting differing usage rights and/or content availability in        different countries and/or regions of the world;    -   Securely managing information on DVD media such that certain        portions may be used on one or more classes of appliance (e.g.,        a standalone DVD player), while other portions may be used on        the same or different classes of appliance (e.g., a standalone        DVD player or a PC);    -   Securely storing and/or transmitting information associated with        payment, auditing, controlling and/or otherwise managing content        recorded on DVD media, including techniques related to those        disclosed in Ginter et al. and in Shear et al.;    -   Updating and/or replacing encryption keys used in the course of        appliance operation to modify the scope of information that may        be used by appliances and/or classes of appliances;    -   Protecting information throughout the creation, distribution,        and usage process, for example, by initially protecting        information collected by a digital camera, and continuing        protection and rights management through the editing process,        production, distribution, usage, and usage reporting.    -   Allowing “virtual rights machines,” consisting of multiple        devices and/or other systems that participate and work together        in a permanently or in a temporarily connected network to share        some or all of the rights management for a single and/or        multiple nodes including, for example, allowing resources        available in plural such devices and/or other systems, and/or        rights associated with plural parties and/or groups using and/or        controlling such devices and/or other systems, to be employed in        concert (according to rights related rules and controls) so as        to govern one or more electronic events on any one or more of        such devices and/or other systems, such event governance        including, for example: viewing, editing, subsetting,        anthologizing, printing, copying, titling, extracting, saving,        and/or redistributing rights protected digital content.    -   Allowing for the exchange of rights among peer-to-peer relating        devices and/or other systems, wherein such devices and/or other        systems participate in a temporary or permanently connected        network, and wherein such rights are bartered, sold for        currency, and/or otherwise exchanged for value and/or        consideration where such value and/or consideration is exchanged        between such peer-to-peer participating commercial and/or        consumer devices and/or other systems.

General Purpose DVD/Cost-Effective Large Capacity Digital Media RightsProtection and Management

The inventions described herein can be used with any large capacitystorage arrangement where cost-effective distribution media is used forcommercial and/or consumer digital information delivery and DVD, as usedherein, should be read to include any such system.

Copy protection and rights management are important in practical DVDsystems and will continue to be important in other large capacitystorage, playback, and recording systems, presently known or unknown, inthe future. Protection is needed for some or all of the informationdelivered (or written) on most DVD media. Such protection againstcopying is only one aspect of rights management. Other aspects involveallowing rightsholders and others to manage their commercial interests(and to have them enforced, potentially at a distance in time and/orspace) regardless of distribution media and/or channels, and theparticular nature of the receiving appliance and/or device. Such rightsmanagement solutions that incorporate DVD will become even moresignificant as future generations of recordable DVD media and appliancescome to market. Rightsholders will want to maintain and assert theirrights as, for example, video, sound recordings, and other digitalproperties are transmitted from one device to another and as options forrecording become available in the market.

The apparent convergence between consumer appliances and computers,increasing network and modem speeds, the declining cost of computerpower and bandwidth, and the increasing capacity of optical media willcombine to create a world of hybrid business models in which digitalcontent of all kinds may be distributed on optical media played on atleast occasionally connected appliances and/or computers, in which theone-time purchase models common in music CDs and initial DVD movieofferings are augmented by other models, for example, lease, pay perview, and rent to own, to name just few. Consumers may be offered achoice among these and other models from the same or differentdistributors and/or other providers. Payment for use may happen over anetwork and/or other communications channel to some payment settlementservice. Consumer usage and audit information may flow back to creators,distributors, and/or other participants. The elementary copy protectiontechnologies for DVD now being introduced cannot support these and othersophisticated models.

As writable DVD appliances and media become available, additional hybridmodels are possible, including, for example, the distribution of digitalmovies over satellite and cable systems. Having recorded a movie, aconsumer may elect a lease, rental, pay-per-view, or other model ifavailable. As digital television comes to market, the ability ofwritable DVDs to make faithful copies of on-air programming createsadditional model possibilities and/or rights management requirements.Here too, simplistic copy protection mechanisms currently being deployedfor the initial read-only DVD technologies will not suffice.

Encryption is a Means, not an End

Encryption is useful in protecting intellectual properties in digitalformat, whether on optical media such as DVD, on magnetic media such asdisk drives, in the active memory of a digital device and/or while beingtransmitted across computer, cable, satellite, and other kinds ofnetworks or transmission means. Historically, encryption was used tosend secret messages. With respect to DVD, a key purpose of encryptionis to require the use of a copy control and rights management system inorder to ensure that only those authorized to do so by rightsholders canindeed use the content.

But encryption is more of a means, rather than an end. A central issueis how to devise methods for ensuring, to the maximal extent possible,that only authorized devices and parties can decrypt the protectedcontent and/or otherwise use information only to the extent permitted bythe rightsholder(s) and/or other relevant parties in the protectedcontent.

The Present Inventions

The present inventions provide powerful right management capabilities.In accordance with one aspect provided by the present invention,encrypted digital properties can be put on a DVD in a tamper-resistantsoftware “container” such as, for example, a “DigiBox” secure container,together with rules about “no copy” and/or “copy” and/or “numbers ofpermitted copies” that may apply and be enforced by consumer appliances.These same rules, and/or more flexible and/or different rules, can beenforced by computer devices or other systems that may provide moreand/or different capabilities (e.g., editing, excerpting, one or morepayment methods, increased storage capability for more detailed auditinformation, etc.). In addition, the “software container” such as forexample, a “DigiBox” secure container, can store certain content in the“clear” (that is, in unencrypted form). For example, movie or musictitles, copyright statements, audio samples, trailers, and/oradvertising can be stored in the clear and/or could be displayed by anyappropriate application or device. Such information could be protectedfor authenticity (integrity) when available for viewing, copying, and/orother activities. At the same time, valuable digital properties of allkinds-film, video, image, text, software, and multimedia may be storedat least partially encrypted to be used only by authorized devicesand/or applications and only under permitted, for examplerightsholder-approved, circumstances.

Another aspect provided in accordance with the present invention (incombination with certain capabilities disclosed in Ginter et al.) isthat multiple sets of rules could be stored in the same “container” on aDVD disk. The software then applies rules depending on whether themovie, for example, was to be played by a consumer appliance orcomputer, whether the particular apparatus has a backchannel (e.g., anon-line connection), the national and/or other legal or geographicregion in which the player is located and/or the movie is beingdisplayed, and/or whether the apparatus has components capable ofidentifying and applying such rules. For example, some usage rules mayapply when information is played by a consumer device, while other rulesmay apply when played by a computer. The choice of rules may be left upto the rightsholder(s) and/or other participants—or some rules may bepredetermined (e.g., based on the particular environment orapplication). For example, film rightsholders may wish to limit copyingand ensure that excerpts are not made regardless of the context in whichthe property is played. This limitation might be applied only in certainlegal or geographic areas. Alternatively, rightsholders of soundrecordings may wish to enable excerpts of predetermined duration (e.g.,no more than 20 seconds) and that these excerpts are not used toconstruct a new commercial work. In some cases, governments may requirethat only “PG” versions of movies and/or the equivalent rating for TVprograms may be played on equipment deployed in their jurisdiction,and/or that the applicable taxes, fees and the like are automaticallycalculated and/or collected if payments related to content recorded onDVD is requested and/or performed (e.g., pay-per-use of a movie, game,database, software product, etc.; and/or orders from a catalog stored atleast in part on DVD media, etc.).

In a microprocessor controlled (or augmented) digital consumerappliance, such rules contemplated by the present inventions can beenforced, for example, without requiring more than a relatively fewadditions to a central, controlling microprocessor (or other CPU, a IEEE1394 port controller, or other content handling control circuitry),and/or making available some ROM or flash memory to hold the necessarysoftware. In addition, each ROM (or flash or other memory, which suchmemory may be securely connected to, or incorporated into, such controlcircuitry in a single, manufactured component) can, in one example,contain one or more digital documents or “certificate(s)” that uniquelyidentifies a particular appliance, individual identity, jurisdiction,appliance class(es), and/or other chosen parameters. An appliance can,for example, be programmed to send a copy of a digital property toanother digital device only in encrypted form and only inside a new,tamper-resistant “software container.” The container may also, forexample, carry with it a code indicating that it is a copy rather thanan original that is being sent. The device may also put a uniqueidentifier of a receiving device and/or class of devices in the samesecure container. Consequently, for example, in one particulararrangement, the copy may be playable only on the intended receivingdevice, class(es) of devices, and/or devices in a particular region inone non-limiting example and rights related to use of such copy maydiffer according to these and/or other variables.

The receiving device, upon detecting that the digital property is indeeda copy, can, for example, be programmed not to make any additionalcopies that can be played on a consumer device and/or other class(es) ofdevices. If a device detects that a digital property is about to beplayed on a device and/or other class(es) of devices other than the oneit was intended for, it can be programmed to refuse to play that copy(if desired).

The same restrictions applied in a consumer appliance can, for example,be enforced on a computer equipped to provide rights managementprotection in accordance with the present inventions. In this example,rules may specify not to play a certain film and/or other content on anydevice other than a consumer appliance and/or classes of appliances, forexample. Alternatively, these same powerful capabilities could be usedto specify different usage rules and payment schemes that would applywhen played on a computer (and/or in other appliances and/or classes ofappliances), as the rightsholder(s) may desire, for example, differentpricing based upon different geographic or legal locales where contentis played.

In addition, if “backchannels” are present—for example, set-top boxeswith bi-directional communications or computers attached to networks—thepresent inventions contemplate electronic, independent delivery of newrules if desired or required for a given property. These new rules may,for example, specify discounts, time-limited sales, advertisingsubsidies, and/or other information if desired. As noted earlier,determination of these independently delivered rules is entirely up tothe rightsholder(s) and/or others in a given model.

The following are two specific examples of a few aspects of the presentinvention discussed above:

1. An Analog to Digital Copying Example

a) Bob has a VHS tape he bought (or rented) and wants to make a copy forhis own use. The analog film has copy control codes embedded so thatthey do not interfere with the quality of the signal. Bob has a writableDVD appliance that is equipped to provide rights management protectionin accordance with the present invention. Bob's DVD recorder detects thecontrol codes embedded in the analog signal (for example, such recordermay detect watermarks and/or fingerprints carrying rights relatedcontrol and/or usage information), creates a new secure container tohold the content rules and describe the encoded film, and creates newcontrol rules (and/or delivers to a secure VDE system for storage andreporting certain usage history related information such as user name,time, etc.) based on the analog control codes and/or other informationit detected and that are then placed in the DigiBox and/or into a secureVDE installation data store such as a secure data base. Bob can playthat copy back on his DVD appliance whenever he chooses.

b) Bob gives the DVD disk he recorded to Jennifer who wishes to play iton computer that has a DVD drive. Her computer is equipped to providerights management protection in accordance with the present invention.Her computer opens the “DigiBox,” detects that this copy is being usedon a device different from the one that recorded it (an unauthorizeddevice) and refuses to play the copy.

c) Bob gives the DVD disk to Jennifer as before, but now Jennifercontacts electronically a source of new rules and usage consequences,which might be the studio, a distributor, and/or a rights andpermissions clearinghouse, (or she may have sufficient rights already onher player to play the copy). The source sends a DigiBox container toJennifer with rules and consequences that permit playing the movie onher computer while at the same time charging her for use, even thoughthe movie was recorded on DVD by Bob rather than by the studio or othervalue chain participant.

2. A Digital to Analog Copying Example

a) Jennifer comes home from work, inserts a rented or owned DVD into aplayer connected to, or an integral part of her TV, and plays the disk.In a completely transparent way, the film is decrypted, the format isconverted from digital to analog, and displayed on her analog TV.

b) Jennifer wishes to make a copy for her own use. She plays the film onan DVD device incorporating rights management protection in accordancewith the present invention, that opens the DigiBox secure container,accesses the control information, and decrypts the film. She records theanalog version on her VCR which records a high-quality copy.

c) Jennifer gives the VCR copy to Doug who wishes to make a copy of theanalog tape for his own use, but the analog control information forcesthe recording VCR to make a lower-quality copy, or may prevent copying.In another non-limiting example, more comprehensive rights managementinformation may be encoded in the analog output using the methods and/orsystems described in more detail in the above referenced Van Wie andWeber patent application.

In accordance with one aspect provided by this invention, the sameportable storage medium, such as a DVD, can be used with a range ofdifferent, scaled protection environments providing different protectioncapabilities. Each of the different environments may be enabled to usethe information carried by the portable storage medium based on rightsmanagement techniques and/or capabilities supported by the particularenvironment. For example, a simple, inexpensive home consumer diskplayer may support copy protection and ignore more sophisticated andcomplex content rights the player is not equipped to enable. A moretechnically capable and/or secure platform (e.g., a personal computerincorporating a secure processing component possibly supported by anetwork connection, or a “smarter” appliance or device) may, forexample, use the same portable storage medium and provide enhanced usagerights related to use of the content carried by the medium based on morecomplicated rights management techniques (e.g., requiring payment ofadditional compensation, providing secure extraction of selected contentportions for excerpting or anthologizing, etc.). For example, a controlset associated with the portable storage medium may accommodate a widevariety of different usage capabilities—with the more advanced orsophisticated uses requiring correspondingly more advanced protectionand rights management enablement found on some platforms and not others.Lower-capability environments can, as another example, ignore (or notenable or attempt to use) rights in the control set that they don'tunderstand, while higher-capability environments (having awareness ofthe overall capabilities they provide), may, for example, enable therights and corresponding protection techniques ignored by thelower-capability environments.

In accordance with another aspect provided by the invention, a media-and platform-independent security component can be scaled in terms offunctionality and performance such that the elementary rights managementrequirements of consumer electronics devices are subsets of a richercollection of functionality that may be employed by more advancedplatforms. The security component can be either a physical, hardwarecomponent, or a “software emulation” of the component. In accordancewith this feature, an instance of medium (or more correctly, one versionof the content irrespective of media) can be delivered to customersindependently of their appliance or platform type with the assurancethat the content will be protected. Platforms less advanced in terms ofsecurity and/or technical capabilities may provide only limited rightsto use the content, whereas more advanced platforms may provide moreexpansive rights based on correspondingly appropriate securityconditions and safeguards.

In accordance with a further aspect provided by the present invention,mass-produced, inexpensive home consumer DVD players (such as thoseconstructed, for example, with minimum complexity and parts count) canbe made to be compatible with the same DVDs or other portable storagemedia used by more powerful and/or secure platforms (such as, forexample, personal computers) without degrading advanced rightsmanagement functions the storage media may provide in combination withthe more powerful and/or secure platforms. The rights management andprotection arrangement provided and supported in accordance with thisaspect of the invention thus supports inexpensive basic copy protectionand can further serve as a commercial convergence technology supportinga bridging that allows usage in accordance with rights of the samecontent by a limited resource consumer device while adequatelyprotecting the content and further supporting more sophisticatedsecurity levels and capabilities by (a) devices having greater resourcesfor secure rights management, and/or (b) devices having connectivitywith other devices or systems that can supply further secure rightsmanagement resources. This aspect of the invention allows multipledevices and/or other systems that participate and work together in apermanently or temporarily connected network to share the rightsmanagement for at least one or more electronic events (e.g., managedthrough the use of protected processing environments such as describedin Ginter et al.) occurring at a single, or across multiple nodes andfurther allows the rights associated with parties and/or groups usingand/or controlling such multiple devices and/or other systems to beemployed according to underlying rights related rules and controls, thisallowing, for example, rights available through a corporate executive'sdevice to be combined with or substitute for, in some manner, the rightsof one or more subordinate corporate employees when their computing orother devices of these parties are coupled in a temporary networkingrelationship and operating in the appropriate context. In general, thisaspect of the invention allows distributed rights management for DVD orotherwise packaged and delivered content that is protected by adistributed, peer-to-peer rights management. Such distributed rightsmanagement can operate whether the DVD appliance or other electronicinformation usage device is participating in a permanently ortemporarily connected network and whether or not the relationships amongthe devices and/or other systems participating in the distributed rightsmanagement arrangement are relating temporarily or have a more permanentoperating relationship. In this way, the same device may have differentrights available depending on the context in which that device isoperating (e.g., in a corporate environment such as in collaborationwith other individuals and/or with groups, in a home environmentinternally and/or in collaboration with external one or more specifiedindividuals and/or other parties, in a retail environment, in aclassroom setting as a student where a student's notebook mightcooperate in rights management with a classroom server and/or instructorPC, in a library environment where multiple parties are collaborativelyemploying differing rights to use research materials, on a factory floorwhere a hand held device works in collaboration with control equipmentto securely and appropriately perform proprietary functions, and so on).

For example, coupling a limited resource device arrangement, such as aDVD appliance, with an inexpensive network computer (NC), or a personalcomputer (PC), may allow an augmenting (or replacing) of rightsmanagement capabilities and/or specific rights of parties and/or devicesby permitting rights management to be a result of a combination of someor all of the rights and/or rights management capabilities of the DVDappliance and those of an Network or Personal Computer (NC or PC). Suchrights may be further augmented, or otherwise modified or replaced bythe availability of rights management capabilities provided by a trusted(secure) remote network rights authority.

These aspects of the present invention can allow the same device, inthis example a DVD appliance, to support different arrays, e.g.,degrees, of rights management capabilities, in disconnected andconnected arrangements and may further allow available rights to resultfrom the availability of rights and/or rights management capabilitiesresulting from the combination of rights management devices and/or othersystems. This may include one or more combinations of some or all of therights available through the use of a “less” secure and/or resource poordevice or system which are augmented, replaced, or otherwise modifiedthrough connection with a device or system that is “more” or“differently” secure and/or resource rich and/or possesses differing ordifferent rights, wherein such connection employs rights and/ormanagement capabilities of either and/or both devices as defined byrights related rules and controls that describe a shared rightsmanagement arrangement.

In the latter case, connectivity to a logically and/or physically remoterights management capability can expand (by, for example, increasing theavailable secure rights management resources) and/or change thecharacter of the rights available to the user of the DVD appliance or aDVD appliance when such device is coupled with an NC, personal computer,local server, and/or remote rights authority. In this rightsaugmentation scenario, additional content portions may be available,pricing may change, redistribution rights may change (e.g., beexpanded), content extraction rights may be increased, etc.

Such “networking rights management” can allow for a combination ofrights management resources of plural devices and/or other systems indiverse logical and/or physical relationships, resulting in eithergreater or differing rights through the enhanced resources provided byconnectivity with one or more “remote” rights authorities. Further,while providing for increased and/or differing rights managementcapability and/or rights, such a connectivity based rights managementarrangement can support multi-locational content availability, byproviding for seamless integration of remotely available content, forexample, content stored in remote, Internet world wide web-based,database supported content repositories, with locally available contenton one or more DVD discs.

In this instance, a user may experience not only increased or differingrights but may use both local DVD content and supplementing content(i.e., content that is more current from a time standpoint, more costly,more diverse, or complementary in some other fashion, etc.). In such aninstance, a DVD appliance and/or a user of a DVD appliance (or otherdevice or system connected to such appliance) may have the same rights,differing, and/or different rights applied to locally and remotelyavailable content, and portions of local and remotely available contentmay themselves be subject to differing or different rights when used bya user and/or appliance. This arrangement can support an overall,profound increase in user content opportunities that are seamlesslyintegrated and efficiently available to users in a single contentsearching and/or usage activity by exploiting the rights management andcontent resources of plural, connected arrangements.

Such a rights augmenting remote authority may be directly coupled to aDVD appliance and/or other device by modem, or directly or indirectlycoupled through the use of an I/O interface, such as a serial 1394compatible controller (e.g., by communicating between a 1394 enabled DVDappliance and a local personal computer that functions as a smartsynchronous or asynchronous information communications interface to suchone or more remote authorities, including a local PC or NC or serverthat serves as a local rights management authority augmenting and/orsupplying the rights management in a DVD appliance).

In accordance with yet another aspect provided by this invention, rightsprovided to, purchased, or otherwise acquired by a participant and/orparticipant DVD appliance or other system can be exchanged among suchpeer-to-peer relating devices and/or other systems through the use ofone or more permenantly or temporarily networked arrangements. In such acase, rights may be bartered, sold, for currency, otherwise exchangedfor value, and/or loaned so long as such devices and/or other systemsparticipate in a rights management system, for example, such as theVirtual Distribution Environment described in Ginter, et al., and employrights transfer and other rights management capabilities describedtherein. For example, this aspect of the present invention allowsparties to exchange games or movies in which they have purchased rights.Continuing the example, an individual might buy some of a neighbor'susage rights to watch a movie, or transfer to another party creditreceived from a game publisher for the successful superdistribution ofthe game to several acquaintances, where such credit is transferred(exchanged) to a friend to buy some of the friend's rights to play adifferent game a certain number of times, etc. In accordance with yetanother aspect provided by this invention, content carried by a portablestorage medium such as a DVD is associated with one or more encryptionkeys and a secure content identifier. The content itself (or informationrequired to use the content) is at least partially cryptographicallyencrypted—with associated decryption keys being required to decrypt thecontent before the content can be used. The decryption keys maythemselves be encrypted in the form of an encrypted key block. Differentkey management and access techniques may be used, depending on theplatform.

In accordance with still yet another aspect provided by this invention,electronic appliances that “create” digital content (or even analogcontent)—e.g., a digital camera/video recorder or audio recorder—can bereadily equipped with appropriate hardware and/or software so as toproduce content that is provided within a secure container at theoutset. For example, content recorded by a digital camera could beimmediately packaged in a secure container by the camera as it isrecording. The camera could then output content already packaged in asecure container(s). This could preclude the need to encapsulate thecontent at a later point in time or at a later production stage, thus,saving at least one production-process step in the overallimplementation of electronic rights management in accordance with thepresent invention. Moreover, it is contemplated that the very process of“reading” content for use in the rights management environment mightoccur at many steps along a conventional production and distributionprocess (such as during editing and/or the so called “pressing” of amaster DVD or audio disk, for example). Accordingly, another significantadvantage of the present invention is that rights management of contentessentially can be extended throughout and across each appropriatecontent creation, editing, distribution, and usage stages to provide aseamless content protection architecture that protects rights throughoutan entire content life cycle.

In one example embodiment, the storage medium itself carries key blockdecryption key(s) in a hidden portion of the storage medium not normallyaccessible through typical access and/or copying techniques. This hiddenkey may be used by a drive to decrypt the encrypted key block—suchdecrypted key block then being used to selectively decrypt content andrelated information carried by the medium. The drive may be designed ina secure and tamper-resistant manner so that the hidden keys are neverexposed outside of the drive to provide an additional security layer.

In accordance with another example embodiment, a video disk drive maystore and maintain keys used to decrypt an encrypted key block. The keyblock decryption keys may be stored in a drive key store, and may beupdatable if the video disk drive may at least occasionally use acommunications path provided, for example, by a set top box, networkport or other communications route.

In accordance with a further example embodiment, a virtual distributionenvironment secure node including a protected processing environmentsuch as a hardware-based secure processing unit may control the use ofcontent carried by a portable storage medium such as a digital videodisk in accordance with control rules and methods specified by one ormore secure containers delivered to the secure node on the medium itselfand/or over an independent communications path such as a network.

Certain conventional copy protection for DVD currently envisions CGMAcopy protection control codes combined with certain encryptiontechniques first proposed apparently by Matsushita Corporation.Notwithstanding the limited benefits of this approach to digitalproperty protection, the present invention is capable of providing asupplementary, compatible, and far more comprehensive rights managementsystem while also providing additional and/or different options andsolutions. The following are some additional examples of advantageousfeatures provided in accordance with the inventions:

-   -   Strong security to fully answer content supplier needs.    -   Value chain management automation and efficiencies including        distributed rights protection, “piece of the tick” payment        disaggregation to value chain participants, cost-effective        micro-transaction management, and superdistribution, including        offline micropayment and microtransaction support for at least        occasionally connected devices.    -   Simplified, more efficient channel management including support        for the use of the same content deliverable on limited resource,        greater resource, standalone, and/or connected devices.    -   Can be used with any medium and application type and/or all        forms of content and content models—not just compressed video        and sound as in some prior techniques and supports the use of        copies of the same or materially the same content containers        across a wide variety of media delivery systems (e.g.,        broadcast, Internet repository, optical disc, etc) for operation        on a wide variety of different electronic appliances (e.g.,        digital cameras, digital editing equipment, sound recorders,        sound editing equipment, movie theater projectors, DVD        appliances, broadcast tape players, personal computers, smart        televisions, etc).    -   Asset management and revenue and/or other consideration        maximizing through important new content revenue and/or other        consideration opportunities and the enhancement of value chain        operating efficiencies.    -   Is capable of providing 100% compatibility with the other        protection techniques such as, for example, CGMA protection        codes and/or Matsushita data scrambling approaches to DVD copy        protection.    -   Can be employed with a variety of existing data scrambling or        protection systems to provide very high degrees of compatibility        and/or level of functionality.    -   Allows DVD technology to become a reusable, programmable,        resource for an unlimited variety of entertainment, information        commerce, and cyberspace business models.    -   Enables DVD drive and/or semiconductor component manufacturers        and/or distributors and/or other value adding participants to        become providers of, and rights holders in, the physical        infrastructure of the emerging, connected world of the Internet        and Intranets where they may charge for the use of a portion        (e.g., a portion they provided) of the distributed, physical        infrastructure as that portion participates in commercial        networks. Such manufacturers and/or distributors and/or other        value adding participants can enjoy the revenue benefits        resulting from participation in a “piece of the tick” by        receiving a small portion of the revenue received as a result of        a participating transaction.    -   Provides automated internationalization, regionalization, and        rights management in that:    -   DVD content can be supplied with arrays of different rule sets        for automatic use depending on rights and identity of the user;        and    -   Societal rights, including taxes, can be handled transparently.

In addition, the DVD rights management method and apparatus of thepresent invention provides added benefits to media recorders/publishersin that it:

-   -   Works with a current “keep honest people honest” philosophy.    -   Can provide 100% compatibility with other protection schemes        such as for example, Matsushita data scrambling and/or CGMA        encoded discs.    -   Can work with and/or supplement other protection schemes to        provide desired degree and/or functionality, or can be used in        addition to or instead of other approaches to provide additional        and/or different functionality and features.    -   Provides powerful, extensible rights management that reaches        beyond limited copy protection models to rights management for        the digitally convergent world.    -   Empowers recording/publishing studios to create sophisticated        asset management tools.    -   Creates important business opportunities through controlled use        of studio properties in additional multimedia contexts.    -   Uniquely ties internationalization, regionalization,        superdistribution, repurposing, to content creation processes        and/or usage control.

Other aspects of the present invention provide benefits to other typesof rightsholders, such as for example:

-   -   Persistent, transparent protection of digital content—globally,        through value chain and process layers.    -   Significant reduction in revenue loss from copying and        pass-along.    -   Converts “pass-along,” copying, and many forms of copyright        infringement from a strategic business threat to a fundamental        business opportunity.    -   A single standard for all digital content regardless of media        and/or usage locality and other rights variables.    -   Major economies of scale and/or scope across industries,        distribution channels, media, and content type.    -   Can support local usage governance and auditing within DVD        players allowing for highly efficient micro-transaction support,        including multiparty microtransactions and transparent        multiparty microtransactions.    -   Empowers rightsholders to employ the broadest range of pricing,        business models, and market strategies—as they see fit.

Further aspects of the present invention which may prove beneficial toDVD and other digital medium appliance manufacturers are:

-   -   Capable of providing bit for bit compatibility with existing        discs.    -   Content type independent.    -   Media independent and programmable/reusable.    -   Highly portable transition to next generation of appliances        having higher density devices and/or a writable DVD and/or other        optical media format(s).    -   Participation in revenue flow generated using the appliance.    -   Single extensible standard for all digital content appliances.    -   Ready for the future “convergent” world in which many appliances        are connected in the home using, as one example, IEEE 1394        interfaces or other means (e.g., some appliances will be very        much like computers and some computers will be very much like        appliances).

Aspects of the present inventions provide many benefits to computer andOS manufacturers such as for example:

-   -   Implementation in computers as an extension to the operating        system, via for example, at least one transparent plug-in, and        does not require modifications to computer hardware and/or        operating systems.    -   Easy, seamless integration into operating systems and into        applications.    -   Extremely strong security, especially when augmented with        “secure silicon” (i.e., hardware/firmware protection apparatus        fabricated on chip).    -   Transforms user devices into true electronic commerce        appliances.    -   Provides a platform for trusted, secure rights management and        event processing.    -   Programmable for customization to specialized requirements.

Additional features and advantages provided in accordance with theinventions include, for example:

-   -   Information on the medium (for example, both properties and        metadata) may be encrypted or not.    -   Different information (for example, properties, metadata) may be        encrypted using different keys. This provides greater protection        against compromise, as well as supporting selective usage rights        in the context of a sophisticated rights management system.    -   There may be encrypted keys stored on the medium, although this        is not required. These keys may be used to decrypt the protected        properties and metadata. Encrypted keys are likely to be used        because that allows more keying material for the information        itself, while still keeping access under control of a single        key.    -   Multiple sets of encrypted keys may be stored on the medium,        either to have different sets of keys associated with different        information, or to allow multiple control regimes to use the        same information, where each control regime may use one or more        different keys to decrypt the set of encrypted keys that it        uses.    -   To support the ability of the player to access rights managed        containers and/or content, a decryption key for the encrypted        keys may be hidden on the medium in one or more locations that        are not normally accessible. The “not normally accessible”        location(s) may be physically enabled for drives installed in        players, and disabled for drives installed in computers. The        enablement may be different firmware, a jumper on the drive,        etc.    -   The ability of the player to access rights managed containers        and/or content may also be supported by one or more stored keys        inside the player that decrypts certain encrypted keys on the        medium.    -   Keys in a player may allow some players to play different        properties than others. Keys could be added to, and/or deleted        from the player by a network connection (e.g., to a PC, a cable        system, and/or a modem connection to a source of new and/or        additional keys and/or key revocation information) or        automatically loaded by “playing” a key distribution DVD.    -   Controlling computer use may be supported by some or all of the        same techniques that control player use of content and/or rights        management information.    -   Controlling computer use of content and/or rights management        information may be supported by having a computer receive,        through means of a trusted rights management system, one or more        appropriate keys.    -   A computer may receive additional keys that permit decryption of        certain encrypted keys on the medium.    -   A computer may receive additional keys that permit decryption of        one or more portions of encrypted data directly. This may permit        selective use of information on the medium without disclosing        keys (e.g., a player key that decrypts any encrypted keys).

In accordance with further aspects provided by the present invention, asecure “software container” is provided that allows:

-   -   Cryptographically protected encapsulation of content, rights        rules, and usage controls.    -   Persistent protection for transport, storage, and value chain        management.    -   Sophisticated rules interface architecture.

Elements can be delivered independently, such as new controls, forexample, regarding discount pricing (e.g. sale pricing, specificcustomer or group discounts, pricing based on usage patterns, etc.)and/or other business model changes, can be delivered after the propertyhas been distributed (this is especially beneficial for large propertiesor physical distribution media (e.g., DVD, CD-ROM) since redistributioncosts may be avoided and consumers may continue to use their librariesof discs). In addition, encrypted data can be located “outside” thecontainer. This can allow, for example, use of data stored independentlyfrom the controls and supports “streaming” content as well as “legacy”systems (e.g., CGMS).

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features and advantages provided in accordance withthese inventions may be better and more completely understood byreferring to the following detailed description of presently preferredexamples in conjunction with the drawings, of which:

FIG. 1A shows example home consumer electronics equipment for usingportable storage media such as digital video disks;

FIG. 1B shows example secure node equipment for using the same portablestorage media but providing more advanced rights managementcapabilities;

FIG. 1C shows an example process for manufacturing protected opticaldisks;

FIG. 2A shows an example architecture of the FIG. 1A consumerelectronics equipment;

FIG. 2B shows an example architecture for the FIG. 1B secure nodeequipment;

FIG. 3 shows example data structures used by the FIG. 1A equipment;

FIGS. 3A and 3B show example control set definitions;

FIGS. 4A and 4B show example usage techniques provided by the FIG. 1Aappliance;

FIG. 5 shows example data structures used by the FIG. 1B secure node foraccessing information on the storage medium;

FIG. 6 shows an example usage technique performed by the FIG. 1B securenode;

FIG. 7 is a block diagram illustrating an example of a special securesoftware container contained on a DVD;

FIG. 8 is a block diagram illustrating an example of a secure containeralong with the video property content stored on a DVD medium;

FIG. 9 is a block diagram illustrating another example of a standardcontainer stored on a DVD medium including an additional containerhaving a more complex rule arrangement for use, for example, with asecure node;

FIG. 10 shows an example use of a DVD having a container (i.e., storedon the medium) with a DVD player provided with a secure rightsmanagement node, and also shows use of the same DVD with a DVD playerthat does not have a secure rights management node;

FIG. 11 is a block diagram illustrating use of a DVD that does not havea container on a DVD player that is provided with rights managementsecure node in accordance with the present invention as compared withuse of the same DVD with a DVD player that does not have a secure node;

FIGS. 12-14 show example network configurations; and

FIGS. 15A-15C show an example virtual rights process.

DETAILED DESCRIPTION OF PRESENTLY PREFERRED EXAMPLE EMBODIMENTS OverallExample Digital Video Disk Usage System

FIG. 1A shows example inexpensive mass-produced home consumerelectronics equipment 50 for using information stored on a storagemedium 100 such as a portable digitally-encoded optical disk (e.g., adigital video disk or “DVD”). Consumer equipment 50 includes a dedicateddisk player 52, that in some embodiments, may also have the capabilityto write optical media (writeable DVD disks, or “DVD-RAM”) for example)as well, connected to a home color television set 54. A remote controlunit 56 may be used to control the disk player 52 and/or television set54.

In one example, disk 100 may store a feature length motion picture orother video content. Someone wishing to watch the content stored on disk100 may purchase or rent the disk, insert the disk into player 52 anduse remote control 56 (and/or controls 58 that may be provided on player52) to control the player to play back the content via home televisionset 54.

In some embodiments, remote control 56 (and/or controls 58 that may beprovided on device 52) may be used to control the recording of a movie,for example. Player 52 reads the digitized video and audio informationcarried by disk 100, converts it into signals compatible with home colortelevision set 54, and provides those signals to the home colortelevision set.

In some embodiments, television set 54 (and/or a set top box) providethe video signals to be recorded by device 52 on writable optical media,DVD-RAM in one non-limiting example. Television set 54 produces imageson screen 54 a and produces sounds through loudspeakers 54 b based onthe signals player 52 provides to the television set.

The same disk 100 may be used by a more advanced platform 60 shown inFIG. 1B. Platform 60 may include, for example, a personal computer 62connected to a display monitor 64, a keyboard 66, a mouse pointingdevice 68, and a loudspeaker 70. In this example, platform 60 may beable to play back the content stored on disk 100 in the same way asdedicated disk player 52, but may also be capable of more sophisticatedand/or advanced uses of the content as enabled by the presence of securenode 72 within the platform. (In some embodiments, platform 60 may alsobe able to record content on writable optical media, DVD-RAM, in onenon-limiting example.) For example, it may be possible, using platform60 and its secure node 72, to interactively present the motion pictureor other content such that the user may input choices via keyboard 66and/or mouse pointing device 68 that, in real time, change thepresentation provided via display 64 and loudspeaker 60.

As one example, the platform 60 user selects from options displayed ondisplay 64 that cause the content presentation sequence to change (e.g.,to provide one of a number of different endings, to allow the user tointeractively control the flow of the images presented, etc.). Computer62 may also be capable of using and manipulating digital data includingfor example computer programs and/or other information stored on disk100 that player 52 cannot handle.

Secure node 72 provides a secure rights management facility that may,for example, permit more invasive or extensive use of the content storedon disk. For example, dedicated player 52 may prevent any copying ofcontent stored by disk 100, or it may allow the content to be copiedonly once and never again. Platform 60 including secure node 72, on theother hand, may allow multiple copies of some or all of the samecontent—but only if certain conditions are met (e.g., the user ofequipment 60 falls within a certain class of people, compensation at anagreed on rate is securely provided for each copy made, only certainexcerpts of the content are copied, a secure audit trail is maintainedand reported for each copy so made, etc.). (In some embodiments,dedicated player 52 may send protected content only to devicesauthenticated as able to enforce securely rights management rules andusage consequences. In some embodiments, devices may authenticate usingdigital certificates, one non-limiting example being certificatesconforming to the X.509 standard.) Hence, platform 60 including securenode 72 can, in this example, use the content provided by disk 100 in avariety of flexible, secure ways that are not possible using dedicatedplayer 52—or any other appliance that does not include a secure node.

Example Secure Disk Creation and Distribution Process

FIG. 1C shows an example secure process for creating a master multimediaDVD disk 100 for use with players 50, 60. In this example, a digitalcamera 350 converts light images (i.e., pictures) into digitalinformation 351 representing one or a sequence of images. Digital camera350 in this example includes a secure node 72A that protects the digitalinformation 351 before it leaves camera 350. Such protection can beaccomplished, for example, by packaging the digital information withinone or more containers and/or associating controls with the digitalinformation.

In this example, digital camera 350 provides the protected digital imageinformation 351 to a storage device such as, for example, a digital taperecorder 352. Tape recorder 352 stores the digital image information 351(along with any associated controls) onto a storage medium such asmagnetic tape cartridge 354 for example. Tape recorder 352 may alsoinclude a secure node 72B. Secure node 72B in this example canunderstand and enforce the controls that the digital camera secure node72A applies to and/or associated with the digital information 351,and/or it may apply its own controls to the stored information.

The same or different tape recorder 352 may play back protected digitalinformation 351 to a digital mixing board 356. Digital mixing board 356may mix, edit, enhance or otherwise process the digital information 351to generate processed digital information 358 representing one or asequence of images. Digital mixing board 356 may receive additionalinputs from other devices such as for example other tape recorders,other digital cameras, character generators, graphics generators,animators, or any other image-based devices. Any or all of such devicesmay also include secure nodes 72 to protect the information theygenerate. In some embodiments, some of the digital information can bederived from equipment including a secure node, and other digitalinformation can be derived from equipment that has no secure node. Instill other embodiments, some of the digital information provided todigital mixer 356 is protected and some is not protected.

Digital mixing board 356 may also include a secure node 72C in thisexample. The digital mixing board secure node 72C may enforce controlsapplied by digital camera secure node 72A and/or tape recorder securenode 72B, and/or it may add its own protections to the digitalinformation 358 it generates.

In this example, an audio microphone 361 receives sound and converts thesound into analog audio signals. The audio signals in this example areinputted to a digital audio tape recorder 362. In the example shown,tape recorder 362 and audio mixer 364 are digital devices. However, inother embodiments, one, the other or both of these devices may operatein the analog domain. In the example shown, digital audio tape recorder362 converts the analog audio signals into digital informationrepresenting the sounds, and stores the digital information (and anyassociated controls) onto a tape 362.

In this example, audio tape recorder 362 includes a secure node 72E thatmay associate controls with the information stored on tape 363. Suchcontrols may be stored with the information on the tape 363. In anotherembodiment, microphone 361 may include its own internal secure node 72that associates control information with the audio information (e.g., bysteganographically encoding the audio information with controlinformation). The tape recorder 362 may enforce such controls applied bymicrophone 361.

Alternatively, microphone 361 may operate in the digital domain andprovide digital representations of audio, perhaps including controlinformation supplied by secure node 72 optionally incorporated inmicrophone 361, directly to connected devices such as audio taperecorder 362. Digital representations may optionally be substituted foranalog representations of any signals between the devices in the exampleFIG. 1C.

The same or different tape recorder 362 may play back the informationrecorded on tape 363, and provide the information 366 to an audio mixer364. Audio mixer 364 may edit, mix, or otherwise process the information366 to produce information 368 representing one or a sequence of sounds.Audio mixer 364 may also receive inputs from other devices such as forexample other tape recorders, other microphones, sound generators,musical synthesizers, or any other audio-based devices. Any or all ofsuch devices may also include secure nodes 72 to protect the informationthey generate. In some embodiments, some of the digital information isderived from equipment including a secure node, and other digitalinformation is derived from equipment that has no secure node. In stillother embodiments, some of the digital information provided to audiomixer 364 is protected and some is not protected.

Audio mixer 364 in this example includes a secure node 72F that enforcesthe controls, if any, applied by audio tape recorder secure node 72E;and/or applies its own controls.

Digital image mixer 356 may provide digital information 358 to “DVD-RAM”equipment 360 that is capable of writing to master disks 100 and/or todisks from which master dicks may be created Similarly, audio mixer 364may provide digital information 368 to equipment 360. Equipment 360records the image information 358 and audio information 368 onto masterdisk 100. In this example, equipment 360 may include a secure node 72Dthat enforces controls applied by digital camera secure node 72A, taperecorder secure node 72B, digital mixer secure node 72C audio taperecorder secure node 72E and/or audio mixer secure node 72F; and/or itmay add its own protections to the digital information 358 it writesonto master disks 100. A disk manufacturer can then mass-produce disks100(1)-100(N) based on the master disk 100 using conventional diskmass-production equipment for distribution through any channels (e.g.,video and music stores, websites, movie theaters, etc.). Consumerappliances 50 shown in FIGS. 1A and 1B may play back the disks100—enforcing the controls applied to the information stored on thedisks 100. Secure nodes 72 thus maintain end-to-end, persistent securecontrol over the images generated by digital camera 350 and the soundsgenerated by microphone 361 during the entire process of making,distributing and using disks 100.

In the FIG. 1C example shown, the various devices may communicate withone another over so-called “IEEE 1394” high-speed digital serial busses.In this context, “IEEE 1394” refers to hardware and software standardsset forth in the following standards specification incorporated byreference herein: 1394-1995 IEEE Standard for a High Performance SerialBus, No. 1-55937-583-3 (Institute of Electrical and ElectronicsEngineers 1995). This specification describes a high-speed memory mappeddigital serial bus that is self-configuring, hot pluggable, low cost andscalable. The bus supports isochronous and asynchronous transport at100, 200 or 400 Mbps, and flexibly supports a number of differenttopologies. The specification describes a physical level including twopower conductors and two twisted pairs for signalling. The specificationfurther describes physical, link and transaction layer protocolsincluding serial bus management. Alternatively, any other suitableelectronic communication means may be substituted for the “IEEE 1394”medium shown in FIG. 1C, including other wired media (e.g., Ethernet,universal serial bus), and/or wireless media based on radio-frequency(RF) transmission, infra-red signals, and/or any other means and/ortypes of electronic communication.

Example Dedicated Player Architecture

FIG. 2A shows an example architecture for dedicated player 52. In thisexample, player 52 includes a video disk drive 80, a controller 82(e.g., including a microprocessor 84, a memory device such as a readonly memory 86, and a user interface 88), and a video/audio processingblock 90. Video disk drive 80 optically and physically cooperates withdisk 100, and reads digital information from the disk. Controller 82controls disk drive 80 based on program instructions executed bymicroprocessor 84 and stored in memory 86 (and further based on userinputs provided by user interface 88 which may be coupled to controls 58and/or remote control unit 56). Video/audio processing block 90 convertsdigital video and audio information read by disk drive 80 into signalscompatible with home color television set 54 using standard techniquessuch as video and audio decompression and the like. Video/audioprocessing block 90 may also insert a visual marking indicating theownership and/or protection of the video program. Block 90 may alsointroduce a digital marking indicating to a standard recording devicethat the content should not be recorded.

Example Secure Node Architecture

FIG. 2B shows an example architecture for platform 60 shown in FIG.1B—which in this example is built around a personal computer 62 butcould comprise any number of different types of appliances. In thisexample, personal computer 62 may be connected to an electronic network150 such as the Internet via a communications block 152. Computerequipment 62 may include a video disk drive 80′ (which may be similar oridentical to the disk drive 80 included within example player 52).Computer equipment 62 may further include a microprocessor 154, a memory156 (including for example random access memory and read only memory), amagnetic disk drive 158, and a video/audio processing block 160.Additionally, computer equipment 62 may include a tamper-resistantsecure processing unit 164 or other protected processing environment.Secure node 72 shown in FIG. 1B may thus be provided by a secureprocessing unit 164, software executing on microprocessor 154, or acombination of the two. Different embodiments may provide secure node 72using software-only, hardware-only, or hybrid arrangements.

Secure node 72 in this example may provide and support a general purposeRights Operating System employing reusable kernel and rights languagecomponents. Such a commerce-enabling Rights Operating System providescapabilities and integration for advanced commerce operating systems ofthe future. In the evolving electronic domain, general purpose, reusableelectronic commerce capabilities that all participants can rely on willbecome as important as any other capability of operating systems.Moreover, a rights operating system that provides, among other things,rights and auditing operating system functions can securely handle abroad range of tasks that relate to a virtual distribution environment.A secure processing unit can, for example, provide or support many ofthe security functions of the rights and auditing operating systemfunctions. The other operating system functions can, for example, handlegeneral appliance functions. The overall operating system may, forexample, be designed from the beginning to include the rights andauditing operating system functions plus the other operating systemfunctions, or the rights and auditing operating system functions may, inanother example, be an add-on to a preexisting operating systemproviding the other operating system functions. Any or all of thesefeatures may be used in combination with the invention disclosed herein.

Example Disk Data Structures and Associated Protections

FIG. 3 shows some example data structures stored on disk 100. In thisexample, disk 100 may store one or more properties or other content 200in protected or unprotected form. Generally, in this example, a property200 is protected if it is at least in part encrypted and/or associatedinformation needed to use the property is at least in part encryptedand/or otherwise unusable without certain conditions having being met.For example, property 200(1) may be completely or partially encryptedusing conventional secure cryptographic techniques. Another property200(2) may be completely unprotected so that it can be used freelywithout any restriction. Thus, in accordance with this example, disk 100could store both a movie as a protected property 200(1) and anunprotected interview with the actors and producers or a “trailer” asunprotected property 200(2). As shown in this example, disk 100 maystore any number of different properties 200 in protected or unprotectedform as limited only by the storage capacity of the disk.

In one example, the protection mechanisms provided by disk 100 may useany or all of the protection (and/or other) structures and/or techniquesdescribed in the above-referenced Shear patents. The Shear patentsdescribe, by way of non-exhaustive example, means for solving theproblem of how to protect digital content from unauthorized use. Forexample, the Shear patent specifications describe, among other things,means for electronically “overseeing”—through distributed control nodespresent in client computers—the use of digital content. This includesmeans and methods for fulfilling the consequences of any such use.

Non-limiting examples of certain elements described in the Shear patentspecifications include:

-   -   (a) decryption of encrypted information,    -   (b) metering,    -   (c) usage control in response to a combination of derived        metering information and rules set by content providers,    -   (d) securely reporting content usage information,    -   (e) use of database technology for protected information storage        and delivery,    -   (f) local secure maintenance of budgets, including, for example,        credit budgets,    -   (g) local, secure storage of encryption key and content usage        information,    -   (h) local secure execution of control processes, and    -   (i) in many non-limiting instances, the use of optical media.

Any or all of these features may be used in combination in or with theinventions disclosed herein.

Certain of the issued Shear patents' specifications also involvedatabase content being local and remote to users. Database informationthat is stored locally at the end-user's system and complemented byremote, “on-line” database information, can, for example, be used toaugment the local information, which in one example, may be stored onoptical media (for example, DVD and/or CD-ROM). Special purposesemiconductor hardware can, for example, be used to provide a secureexecution environment to ensure a safe and reliable setting for digitalcommerce activities.

The Shear patents also describe, among other things, database usagecontrol enabled through the use of security, metering, and usageadministration capabilities. The specifications describe, inter alia, ametering and control system in which a database, at least partiallyencrypted, is delivered to a user (e.g., on optical media). Non-limitingexamples of such optical media may, for example, include DVD and CD-ROM.Subsequent usage can, for example, be metered and controlled in any of avariety of ways, and resulting usage information can be transmitted to aresponsible party (as one example).

The Shear patent specifications also describe the generation of a billin response to the transmitted information. Other embodiments of theShear patents provide, for example, unique information securityinventions which involve, for example, digital content usage beinglimited based on patterns of usage such as the quantity of particularkinds of usage. These capabilities include monitoring the“contiguousness,” and/or “logical relatedness” of used information toensure that the electronic “conduct” of an individual does not exceedhis or her licensed rights. Still other aspects of the Shear patentsdescribe, among other things, capabilities for enabling organizations tosecurely and locally manage electronic information usage rights. When adatabase or a portion of a database is delivered to a client site, someembodiments of the Shear patents provide, for example, optical storagemeans (non-exhaustive examples of which include DVD and CD-ROM) as themechanism of delivery. Such storage means can store, for example, acollection of video, audio, images, software programs, games, etc., inone example, on optical media, such as DVD and/or CD-ROM, in addition toother content such as a collection of textual documents, bibliographicrecords, parts catalogs, and copyrighted or uncopyrighted materials ofall kinds. Any or all of these features may be used in the embodimentsherein.

One specific non-limiting embodiment could, for example, involve aprovider who prepares a collection of games. The provider prepares adatabase “index” that stores information pertaining to the games, suchas for example, the name, a description, a creator identifier, thebilling rates, and the maximum number of times or total elapsed timeeach game may be used prior to a registration or re-registrationrequirement. Some or all of this information could be stored inencrypted form, in one example, on optical media, non-limiting examplesof which include DVD and CD-ROM. The provider may then encrypt some orall portions of the games such that a game could not be used unless oneor more encrypted portions were decrypted. Typically, decryption wouldnot occur unless provider specified conditions were satisfied, in oneexample, unless credit was available to compensate for use and auditinformation reflecting game usage was being stored. The provider coulddetermine, for example: which user activities he or she would allow,whether to meter such activities for audit and/or control purposes, andwhat, if any, limits would be set for allowed activities. This mightinclude, for example, the number of times that a game is played, and theduration of each play. Billing rates might be discounted, for example,based on total time of game usage, total number of games currentlyregistered for use, or whether the customer was also registered forother services available from the same provider, etc.

In the non-limiting example discussed above, a provider might, forexample, assemble all of the prepared games along with other, relatedinformation, and publish the collection on optical media, non-limitingexamples of which include CD-ROM and/or DVD. The provider might thendistribute this DVD disk to prospective customers. The customers couldthen select the games they wish to play, and contact the provider. Theprovider, based on its business model, could then send enablinginformation to each authorized customer, such as for example, including,or enabling for use, decryption keys for the encrypted portion of theselected games (alternatively, authorization to use the games may havearrived with the DVD and/or CD-ROM disk, or might be automaticallydetermined, based on provider set criteria, by the user's secure clientsystem, for example, based on a user's participation in a certified userclass). Using the user's client decryption and metering mechanism thecustomer could then make use of the games. The mechanism might thenrecord usage information, such as for example, the number of times thegame was used, and, for example, the duration of each play. It couldperiodically transmit this information the game provider, thussubstantially reducing the administration overhead requirements of theprovider's central servers. The game provider could receive compensationfor use of the games based upon the received audit information. Thisinformation could be used to either bill their customers or,alternatively, receive compensation from a provider of credit.

Although games provide one convenient, non-limiting example, many ofthese same ideas can be easily applied to all kinds of content, allkinds of properties, including, by way of non-limiting examples:

-   -   video,    -   digitized movies,    -   audio    -   images,    -   multimedia,    -   software,    -   games,    -   any other kind of property    -   any combination of properties.

Other non-limiting embodiments of the Shear patent specificationssupport, for example, securely controlling different kinds of useractivities, such as displaying, printing, saving electronically,communicating, etc. Certain aspects further apply different controlcriteria to these different usage activities. For example, informationthat is being browsed may be distinguished from information that is readinto a host computer for the purpose of copying, modifying, ortelecommunicating, with different cost rates being applied to thedifferent activities (so that, for example, the cost of browsing can bemuch less than the cost of copying or printing).

The Shear patent specifications also, for example, describe managementof information inside of organizations by both publishers and thecustomer. For example, an optional security system can be used to allowan organization to prevent usage of all or a portion of an informationbase unless the user enters his security code. Multiple levels ofsecurity codes can be supported to allow restriction of an individual'suse according to his security authorization level. One embodiment can,for example, use hardware in combination with software to improve tamperresistance, and another embodiment could employ an entirely softwarebased system. Although a dedicated hardware/software system may undercertain circumstances provide assurance against tampering, techniqueswhich may be implemented in software executing on a non-dedicated systemmay provide sufficient tamper resistance for some applications. Any orall of these features may be used in combination with the technologydisclosed in this patent specification.

FIG. 3 Disks May Also Store Metadata, Controls and Other Information

In this example, disk 100 may also store “metadata” in protected and/orunprotected form. Player 52 uses metadata 202 to assist in using one ormore of the properties 200 stored by disk 100. For example, disk 100 maystore one metadata block 202(1) in unprotected form and another metadatablock 202(2) in protected form. Any number of metadata blocks 202 inprotected and/or unprotected form may be stored by disk 100 as limitedonly by the disk's storage capacity. In this example, metadata 202comprises information used to access properties 200. Such metadata 202may comprise, for example, frame sequence or other “navigational”information that controls the playback sequence of one or more of theproperties 200 stored on disk 100. As one example, an unprotectedmetadata block 202 may access only selected portions of a protectedproperty 200 to generate an abbreviated “trailer” presentation, whileprotected metadata block 202 may contain the frame playback sequence forthe entire video presentation of the property 200. As another example,different metadata blocks 202 may be provided for different “cuts” ofthe same motion picture property 200 (e.g., an R-rated version, aPG-rated version, a director's cut version, etc.).

In this example, disk 100 may store additional information for securitypurposes. For example, disk 100 may store control rules in the form of acontrol set 204—which may be packaged in the form of one or more securecontainers 206. Commerce model participants can securely contributeelectronic rules and controls that represent their respective“electronic” interests. These rules and controls extend a “VirtualPresence™” through which the commerce participants may govern remotevalue chain activities according to their respective, mutually agreed torights. This Virtual Presence may take the form of participant specifiedelectronic conditions (e.g., rules and controls) that must be satisfiedbefore an electronic event may occur. These rules and controls can beused to enforce the party's rights during “downstream” electroniccommerce activities. Control information delivered by, and/or otherwiseavailable for use with, VDE content containers may, for example,constitute one or more “proposed” electronic agreements which manage theuse and/or consequences of the use of such content and which can enactthe terms and conditions of agreements involving multiple parties andtheir various rights and obligations.

The rules and controls from multiple parties can be used, in oneexample, to form aggregate control sets (“Cooperative VirtualPresence™”) that ensure that electronic commerce activities will beconsistent with the agreements amongst value chain participants. Thesecontrol sets may, for example, define the conditions which governinteraction with protected digital content (disseminated digitalcontent, appliance control information, etc.). These conditions can, forexample, be used to control not only digital information use itself, butalso the consequences of such use. Consequently, the individualinterests of commerce participants are protected and cooperative,efficient, and flexible electronic commerce business models can beformed. These models can be used in combination with the presentinvention.

Disks May Store Encrypted Information

Disk 100 may also store an encrypted key block 208. In this example,disk 100 may further store one or more hidden keys 210. In this example,encrypted key block 208 provides one or more cryptographic keys for usein decrypting one or more properties 200 and/or one or more metadatablocks 202. Key block 208 may provide different cryptographic keys fordecrypting different properties 200 and/or metadata blocks 202, ordifferent portions of the same property and/or metadata block. Thus, keyblock 208 may comprise a large number of cryptographic keys, all ofwhich are or may be required if all of the content stored by disk 100 isto be used. Although key block 208 is shown in FIG. 3 as being separatefrom container 206, it may be included within or as part of thecontainer if desired.

Cryptographic key block 208 is itself encrypted using one or moreadditional cryptographic keys. In order for player 52 to use any of theprotected information stored on disk 100, it must first decryptcorresponding keys within the encrypted key block 208—and then use thedecrypted keys from the key block to decrypt the corresponding content.

In this example, the keys required to decrypt encrypted key block 208may come from several different (possibly alternative) sources. In theexample shown in FIG. 3, disk 100 stores one or more decryption keys fordecrypting key block 208 on the medium itself in the form of a hiddenkey(s) 210. Hidden key(s) 210 may be stored, for example, in a locationon disk 100 not normally accessible. This “not normally accessible”location could, for example, be physically enabled for drives 80installed in players 52 and disabled for drives 80′ installed inpersonal computers 62. Enablement could be provided by differentfirmware, a jumper on drive 80, etc. Hidden key(s) 210 could be arrangedon disk 100 so that any attempt to physically copy the disk would resultin a failure to copy the hidden key(s). In one example a hidden key(s)could be hidden in the bit stream coding sequences for one or moreblocks as described by J. Hogan (Josh Hogan, “DVD Copy Protection,”presentation to DVD copy protect technical meeting #4, May 30, 1996,Burbank, Calif.)

Alternatively, and/or in addition, keys required to decrypt encryptedkey block 208 could be provided by disk drive 80. In this example, diskdrive 80 might include a small decryption component such as, forexample, an integrated circuit decryption engine including a smallsecure internal key store memory 212 having keys stored therein. Diskdrive 80 could use this key store 212 in order to decrypt encrypted keyblock 208 without exposing either keys 212 or decrypted key block208—and then use the decrypted key from key block 208 to decryptprotected content 200, 202.

Disks May Store and/or Use Secure Containers

In yet another example, the key(s) required to decrypt protected content200, 202 is provided within secure container 206. FIG. 3A shows apossible example of a secure container 206 including information content304 (properties 200 and metadata 202 may be external to the container—oralternatively, most or all of the data structures stored by video disk100 may be included as part of a logical and/or actual protectedcontainer). The control set 204 shown in FIG. 3 may comprise one or morepermissions record 306, one or more budgets 308 and/or one or moremethods 310 as shown in FIG. 3A. FIG. 3B shows an example control set204 providing one or more encryption keys 208, one or more contentidentifiers 220, and one or more controls 222. In this example,different controls 222 may apply to different equipment and/or classesof equipment such as player 52 and/or computer equipment 62 dependingupon the capabilities of the particular platform and/or class ofplatform. Additionally, controls 220 may apply to different ones ofproperties 200 and/or different ones of metadata blocks 202. Forexample, a control 222(1) may allow property 200(1) to be copied onlyonce for archival purposes by either player 52 or computer equipment 62.A control 222(2) (which may be completely ignored by player 52 becauseit has insufficient technical and/or security capabilities but which maybe useable by computer equipment 62 with its secure node 72) may allowthe user to request and permit a public performance of the same property200(1) (e.g., for showing in a bar or other public place) and cause theuser's credit or other account to be automatically debited by a certainamount of compensation for each showing. A third control 222(3) may, forexample, allow secure node 72 (but not player 52) to permit certainclasses of users (e.g., certified television advertisers andjournalists) to extract or excerpt certain parts of protected property200(1) for promotional uses. A further control 222(4) may, as anotherexample, allow both video player 52 and secure node 72 to view certainstill frames within property 200(1)—but might allow only secure node 72to make copies of the still frames based on a certain compensationlevel.

Example Disks and/or System May Make Use of Trusted Infrastructure

Controls 222 may contain pointers to sources of additional control setsfor one or more properties, controls, metadata, and/or other content onthe optical disk. In one example, these additional controls may beobtained from a trusted third party, such as a rights and permissionsclearinghouse and/or from any other value chain participant authorizedby at least one rightsholder to provide at least one additional controlset. This kind of rights and permissions clearinghouse is one of severaldistributed electronic administrative and support services that may bereferred to as the “Distributed Commerce Utility,” which, among otherthings, is an integrated, modular array of administrative and supportservices for electronic commerce and electronic rights and transactionmanagement. These administrative and support services can be used tosupply a secure foundation for conducting financial management, rightsmanagement, certificate authority, rules clearing, usage clearing,secure directory services, and other transaction related capabilitiesfunctioning over a vast electronic network such as the Internet and/orover organization internal Intranets, or even in-home networks ofelectronic appliances. Non-limiting examples of these electronicappliances include at least occasionally connected optical mediaappliances, examples of which include read-only and/or writable DVDplayers and DVD drives in computers and convergent devices, including,for example, digital televisions and settop boxes incorporating DVDdrives.

These administrative and support services can, for example, be adaptedto the specific needs of electronic commerce value chains in any numberof vertical markets, including a wide variety of entertainmentapplications. Electronic commerce participants can, for example, usethese administrative and support services to support their interests,and/or they can shape and reuse these services in response tocompetitive business realities. Non-exhaustive examples of electroniccommerce participants include individual creators, film and musicstudios, distributors, program aggregators, broadcasters, and cable andsatellite operators.

The Distributed Commerce Utility can, for example, make optimallyefficient use of commerce administration resources, and can, in at leastsome embodiments, scale in a practical fashion to optimally accommodatethe demands of electronic commerce growth.

The Distributed Commerce Utility may, for example, comprise a number ofCommerce Utility Systems. These Commerce Utility Systems can provide aweb of infrastructure support available to, and reusable by, the entireelectronic community and/or many or all of its participants. Differentsupport functions can, for example, be collected together inhierarchical and/or in networked relationships to suit various businessmodels and/or other objectives. Modular support functions can, forexample, be combined in different arrays to form different CommerceUtility Systems for different design implementations and purposes. TheseCommerce Utility Systems can, for example, be distributed across a largenumber of electronic appliances with varying degrees of distribution.

The “Distributed Commerce Utility” provides numerous additionalcapabilities and benefits that can be used in conjunction with theparticular embodiments shown in the drawings of this application,non-exhaustive examples of which include:

-   -   Enables practical and efficient electronic commerce and rights        management.    -   Provides services that securely administer and support        electronic interactions and consequences.    -   Provides infrastructure for electronic commerce and other forms        of human electronic interaction and relationships.    -   Optimally applies the efficiencies of modern distributed        computing and networking.    -   Provides electronic automation and distributed processing.    -   Supports electronic commerce and communications infrastructure        that is modular, programmable, distributed and optimally        computerized.    -   Provides a comprehensive array of capabilities that can be        combined to support services that perform various administrative        and support roles.    -   Maximizes benefits from electronic automation and distributed        processing to produce optimal allocation and use of resources        across a system or network.    -   Is efficient, flexible, cost effective, configurable, reusable,        modifiable, and generalizable.    -   Can economically reflect users' business and privacy        requirements.    -   Can optimally distribute processes—allowing commerce models to        be flexible, scaled to demand and to match user requirements.    -   Can efficiently handle a full range of activities and service        volumes.    -   Can be fashioned and operated for each business model, as a        mixture of distributed and centralized processes.    -   Provides a blend of local, centralized and networked        capabilities that can be uniquely shaped and reshaped to meet        changing conditions.    -   Supports general purpose resources and is reusable for many        different models; in place infrastructure can be reused by        different value chains having different requirements.    -   Can support any number of commerce and communications models.    -   Efficiently applies local, centralized and networked resources        to match each value chain's requirements.    -   Sharing of common resources spreads out costs and maximizes        efficiency.    -   Supports mixed, distributed, peer-to-peer and centralized        networked capabilities.    -   Can operate locally, remotely and/or centrally.    -   Can operate synchronously, asynchronously, or support both modes        of operation.    -   Adapts easily and flexibly to the rapidly changing sea of        commercial opportunities, relationships and constraints of        “Cyberspace.”

Any or all of these features may be used in combination with theinventions disclosed herein.

The Distributed Commerce Utility provides, among other advantages,comprehensive, integrated administrative and support services for secureelectronic commerce and other forms of electronic interaction. Theseelectronic interactions supported by the Distributed Commerce Utilitymay, in at least some embodiments, entail the broadest range ofappliances and distribution media, non-limiting examples of whichinclude networks and other communications channels, consumer appliances,computers, convergent devices such as WebTV, and optical media such asCD-ROM and DVD in all their current and future forms.

Example Access Techniques

FIGS. 3, 4A and 4B show example access techniques provided by player 52.In this example, upon disk 100 being loaded into player disk drive 80(FIG. 4A, block 400), the player controller 82 may direct drive 80 tofetch hidden keys 210 from disk 100 and use them to decrypt some or allof the encrypted key block 208 (FIG. 4A, block 402). In this example,drive 80 may store the keys so decrypted without exposing them to playercontroller 82 (e.g., by storing them within key store 212 within asecure decryption component such as an integrated circuit baseddecryption engine) (FIG. 4A, block 404). The player 52 may control drive80 to read the control set 204 (which may or may not be encrypted) fromdisk 100 (FIG. 4A, block 406). The player microprocessor 82 may parsecontrol set 204, ignore or discard those controls 222 that are beyondits capability, and maintain permissions and/or rights managementinformation corresponding to the subset of controls that it can enforce(e.g., the “copy once” control 222(1)).

Player 52 may then wait for the user to provide a request via controlinputs 58 and/or remote control unit 56. If the control input is a copyrequest (“yes” exit to FIG. 4A, decision block 408), then playermicroprocessor 84 may query control 222(1) to determine whether copyingis allowed, and if so, under what conditions (FIG. 4A, decision block410). Player 52 may refuse to copy the disk 100 if the correspondingcontrol 222(1) forbids copying (“no” exit to FIG. 4A, decision block410), and may allow copying (e.g., by controlling drive 80 tosequentially access all of the information on disk 100 and provide it toan output port not shown) if corresponding control 222(1) permitscopying (“yes” exit to FIG. 4A, decision block 410; block 412). In thisexample, player 52 may, upon making a copy, store an identifierassociated with disk 100 within an internal, non-volatile memory (e.g.,controller memory 86) or elsewhere if control 222(1) so requires. Thisstored disk identifier can be used by player 52 to enforce a “copy once”restriction (i.e., if the user tries to use the same player to copy thesame disk more than once or otherwise as forbidden by control 222(1),the player can deny the request).

If the user requests one of properties 200 to be played or read (“yes”exit to FIG. 4A, decision block 414), player controller 82 may controldrive 80 to read the corresponding information from the selectedproperty 200 (e.g., in a sequence as specified by metadata 202) anddecrypt the read information as needed using the keys initially obtainedfrom key block 208 and now stored within drive key storage 212 (FIG. 4A,block 416).

FIG. 4B is a variation on the FIG. 4A process to accommodate a situationin which player 52 itself provides decryption keys for decryptingencrypted key block 208. In this example, controller 82 may supply oneor more decryption keys to drive 80 using a secure protocol such aDiffie-Hellman key agreement, or through use of a shared key known toboth the drive and some other system or component to which the player 52is or once was coupled (FIG. 4B, block 403). The drive 80 may use thesesupplied keys to decrypt encrypted key block 208 as shown in FIG. 4A,block 404, or it may use the supplied keys to directly decrypt contentsuch as protected property 200 and/or protected metadata 202(2).

As a further example, the player 52 can be programmed to place a copy itmakes of a digital property such as a film in encrypted form inside atamper-resistant software container. The software container may carrywith it a code indicating that the digital property is a copy ratherthan an original. The sending player 52 may also put its own uniqueidentifier (or the unique identifier of an intended receiving devicesuch as another player 52, a video cassette player or equipment 50) inthe same secure container to enforce a requirement that the copy can beplayed only on the intended receiving device. Player 52 (or otherreceiving device) can be programmed to make no copies (or no additionalcopies) upon detecting that the digital property is a copy rather thanan original. If desired, a player 52 can be programmed to refuse to playa digital property that is not packaged with the player's unique ID.

Example Use of Analog Encoding Techniques

In another example, more comprehensive rights management information maybe encoded by player 52 in the analog output using methods forwatermarking and/or fingerprinting. Today, a substantial portion of the“real world” is analog rather than digital. Despite the pervasiveness ofanalog signals, existing methods for managing rights and protectingcopyright in the analog realm are primitive or non-existent. Forexample:

-   -   Quality degradation inherent in multigenerational analog copying        has not prevented a multi-billion dollar pirating industry from        flourishing.    -   Some methods for video tape copy and pay per view protection        attempt to prevent any copying at all of commercially released        content, or allow only one generation of copying. These methods        can generally be easily circumvented.    -   Not all existing devices respond appropriately to copy        protection signals.    -   Existing schemes are limited for example to “copy/no copy”        controls.    -   Copy protection for sound recordings has not been commercially        implemented.

A related problem relates to the conversion of information between theanalog and digital domains. Even if information is effectively protectedand controlled initially using strong digital rights managementtechniques, an analog copy of the same information may no longer besecurely protected.

For example, it is generally possible for someone to make an analogrecording of program material initially delivered in digital form. Someanalog recordings based on digital originals are of quite good quality.For example, a Digital Versatile Disk (“DVD”) player may convert a moviefrom digital to analog format and provide the analog signal to a highquality analog home VCR. The home VCR records the analog signal. Aconsumer now has a high quality analog copy of the original digitalproperty. A person could re-record the analog signal on a DVD-RAM. Thisrecording will in many circumstances have substantial quality—and wouldno longer be subject to “pay per view” or other digital rightsmanagement controls associated with the digital form of the samecontent.

Since analog formats will be with us for a long time to come,rightsholders such as film studios, video rental and distributioncompanies, music studios and distributors, and other value chainparticipants would very much like to have significantly better rightsmanagement capabilities for analog film, video, sound recordings andother content. Solving this problem generally requires a way to securelyassociate rights management information with the content beingprotected.

In combination with other rights management capabilities, watermarkingand/or fingerprinting, may provide “end to end” secure rights managementprotection that allows content providers and rights holders to be suretheir content will be adequately protected—irrespective of the types ofdevices, signaling formats and nature of signal processing within thecontent distribution chain. This “end to end” protection also allowsauthorized analog appliances to be easily, seamlessly andcost-effectively integrated into a modern digital rights managementarchitecture.

Watermarking and/or fingerprinting may carry, for example, controlinformation that can be a basis for a Virtual Distribution Environment(“VDE”) in which electronic rights management control information may bedelivered over insecure (e.g., analog) communications channels. ThisVirtual Distribution Environment is highly flexible and convenient,accommodating existing and new business models while also providing anunprecedented degree of flexibility in facilitating ad hoc creation ofnew arrangements and relationships between electronic commerce and valuechain participants—regardless of whether content is distributed indigital and/or analog formats.

Watermarking together with distributed, peer-to-peer rights managementtechnologies providers numerous advantages, including, but not limitedto:

-   -   An indelible and invisible, secure technique for providing        rights management information.    -   An indelible method of associating electronic commerce and/or        rights management controls with analog content such as film,        video, and sound recordings.    -   Persistent association of the commerce and/or rights management        controls with content from one end of a distribution system to        the other—regardless of the number and types of transformations        between signaling formats (for example, analog to digital, and        digital to analog).    -   The ability to specify “no copy/one copy/many copies” rights        management rules, and also more complex rights and transaction        pricing models (such as, for example, “pay per view” and        others).    -   The ability to fully and seamlessly integrate with        comprehensive, general electronic rights management solutions.    -   Secure control information delivery in conjunction with        authorized analog and other non-digital and/or non-secure        information signal delivery mechanisms.    -   The ability to provide more complex and/or more flexible        commerce and/or rights management rules as content moves from        the analog to the digital realm and back.    -   The flexible ability to communicate commerce and/or rights        management rules implementing new, updated, or additional        business models to authorized analog and/or digital devices.

Any or all of these features may be used in combination in and/or withthe inventions disclosed in the present specification.

Briefly, watermarking and/or fingerprinting methods may, using“steganographical” techniques, substantially indelibly and substantiallyinvisibly encode rights management and/or electronic commerce rules andcontrols within an information signal such as, for example, an analogsignal or a digitized (for example, sampled) version of an analogsignal, non-limiting examples of which may include video and/or audiodata, that is then decoded and utilized by the local appliance. Theanalog information and stenographically encoded rights managementinformation may be transmitted via many means, non-limiting examples ofwhich may include broadcast, cable TV, and/or physical media, VCR tapes,to mention one non-limiting example. Any or all of these techniques maybe used in combination in accordance with the inventions disclosedherein.

Watermarking and/or fingerprinting methods enable at least some rightsmanagement information to survive transformation of the video and/orother information from analog to digital and from digital to analogformat. Thus in one example, two or more analog and/or digitalappliances may participate in an end-to-end fabric of trusted, securerights management processes and/or events.

Example, More Capable Embodiments

As discussed above, the example control set shown in FIG. 3B provides acomprehensive, flexible and extensible set of controls for use by bothplayer 52 and computer equipment 62 (or other platform) depending uponthe particular technical, security and other capabilities of theplatform. In this example, player 52 has only limited technical andsecurity capabilities in order to keep cost and complexity down in amass-produced consumer item, and therefore may essentially ignore orfail to enable some or all of the controls 222 provided within controlset 204. In another example, the cost of memory and/or processors maycontinue to decline and manufacturers may choose to expand the technicaland security capabilities of player 52. A more capable player 52 willprovide more powerful, robust, and flexible rights managementcapabilities.

FIG. 5 shows an example arrangement permitting platform 60 includingsecure node 72 to have enhanced and/or different capabilities to useinformation and/or rights management information on disk 100, and FIG. 6shows an example access technique provided by the secure node. Referringto FIG. 5, secure node 72 may be coupled to a network 150 whereas player52 may not be—giving the secure node great additional flexibility interms of communicating security related information such as audittrails, compensation related information such as payment requests ororders, etc. This connection of secure node 72 to network 150 (which maybe replaced in any given application by some other communicationstechnique such as insertion of a replaceable memory cartridge) allowssecure node 72 to receive and securely maintain rights managementcontrol information such as an additional container 206′ containing anadditional control set 204′. Secure node 72 may use control set 204′ inaddition or in lieu of a control set 204 stored on disk 100. Secure node72 may also maintain a secure cryptographic key store 212 that mayprovide cryptographic keys to be used in lieu of or in addition to anykeys 208, 210 that may be stored on disk 100. Because of its increasedsecurity and/or technical capabilities, secure node 72 may be able touse controls 222 within control set 204 that player 52 ignores or cannotuse—and may be provided with further and/or enhanced rights and/orrights management capabilities based on control set 204′ (which the usermay, for example, order specially and which may apply to particularproperties 200 stored on disk 100 and/or particular sets of disks).

Example Secure Node Access Techniques

The FIG. 6 example access technique (which may be performed by platform60 employing secure node 72, for example) involves, in this particularexample, the secure node 72 fetching property identification information220 from disk 100 (FIG. 6, block 502), and then locating applicablecontrol sets and/or rules 204 (which may be stored on disk 100, withinsecure node 72, within one or more repositories the secure node 72accesses via network 150, and/or a combination of any or all of thesetechniques) (FIG. 6, block 504). Secure node 72 then loads the necessarydecryption keys and uses them to decrypt information as required (FIG.6, block 506). In one example, secure node 72 obtains the necessary keysfrom secure containers 206 and/or 206′ and maintains them within aprotected processing environment such as SPU 164 or a software-emulatedprotected processing environment without exposing them externally ofthat environment. In another example, the secure node 72 may load thenecessary keys (or a subset of them) into disk drive 82′ using a securekey exchange protocol for use by the disk drive in decryptinginformation much in the same manner as would occur within player 52 inorder to maintain complete compatibility in drive hardware.

Secure node 72 may monitor user inputs and perform requested actionsbased on the particular control set 204, 204′. For example, uponreceiving a user request, secure node 72 may query the control set 204,204′ to determine whether it (they) permits the action the user hasrequested (FIG. 6, block 508) and, if permitted, whether conditions forperforming the requested operation have been satisfied (FIG. 6, block510). In this example, secure node 72 may effect the operationsnecessary to satisfy any such required conditions such as by, forexample, debiting a user's locally-stored electronic cash wallet,securely requesting an account debit via network 150, obtaining and/orchecking user certificates to ensure that the user is within anappropriate class or is who he or she says he is, etc.—using network 150as required (FIG. 6, block 510). Upon all necessary conditions beingsatisfied, secure node 72 may perform the requested operation (and/orenable microprocessor 154 to perform the operation) (e.g., to releasecontent) and may then generate secure audit records which can bemaintained by the secure node and/or reported at the time or later vianetwork 150 (FIG. 6, block 512).

If the requested operation is to release content (e.g., make a copy ofthe content), platform 60 (or player 52 in the example above) mayperform the requested operation based at least in part on the particularcontrols that enforce rights over the content. For example, the controlsmay prevent platform 60 from releasing content except to certain typesof output devices that cannot be used to copy the content, or they mayrelease the content in a way that discourages copying (e.g., by“fingerprinting” the copy with an embedded designation of who createdthe copy, by intentionally degrading the released content so that anycopies made from it will be inferior, etc.). As one specific example, avideo cassette recorder (not shown) connected to platform 60 may be theoutput device used to make the copy. Because present generations ofanalog devices such as video cassette recorders are incapable of makingmultigenerational copies without significant loss in quality, thecontent provider may provide controls that permit content to be copiedby such analog devices but not by digital devices (which can make anunlimited number of copies without quality loss). For example, platform60 may, under control of digital controls maintained by secure node 72,release content to the video cassette recorder only after the videocassette recorder supplies the platform a digital ID that designates theoutput device as a video cassette recorder—and may refuse to provide anyoutput at all unless such a digital ID identifying the output device asa lower quality analog device is provided. Additionally or in thealternative, platform 60 may intentionally degrade the content itsupplies to the video cassette recorder to ensure that no acceptablesecond-generation copies will be made. In another example, morecomprehensive rights management information may be encoded by platform60 in the analog output using watermarking and/or fingerprinting.

Additional Examples of Secure Container Usage

FIG. 7 shows a basic example of a DVD medium 700 containing a kind ofsecure container 701 for use in DVDs in accordance with the presentinvention. As shown in this example, container 701 (“DigiBox for DVDs”)could be a specialized version of a “standard” container tailoredespecially for use with DVD and/or other media, or it could,alternatively (in an arrangement shown later in FIG. 8), be a fully“standard” container. As shown in this example, the specializedcontainer 701 incorporates features that permit it to be used inconjunction with content information, metadata, and cryptographic and/orprotection information that is stored on the DVD medium 700 in the samemanner as would have been used had container 701 not been present. Thus,specialized container 701 provides compatibility with existing dataformats and organizations used on DVDs and/or other media. In addition,a specialized container 701 can be tailored to support only thosefeatures necessary for use in support of DVD and/or other media, so thatit can be processed and/or manipulated using less powerful or lessexpensive computing resources than would be required for completesupport of a “standard” container object.

In this example, specialized “DVD only” container 701 includes a contentobject (a property) 703 which includes an “external reference” 705 tovideo title content 707, which may be stored on the DVD and/or othermedium in the same manner as would have been used for a medium notincluding container 701. The video title content 707 may include MPEG-2and/or AC-3 content 708, as well as scrambling (protection) information710 and header, structure and/or meta data 711. External reference 705contains information that “designates” (points to, identifies, and/ordescribes) specific external processes to be applied/executed in orderto use content and other information not stored in container 701. Inthis example, external reference 705 designates video title content 707and its components 708, 710, and 711. Alternatively, container 701 couldstore some or all of the video title content in the container itself,using a format and organization that is specific to container 701,rather than the standard format for the DVD and/or other medium 700.

In this example, container 701 also includes a control object (controlset) 705 that specifies the rules that apply to use of video titlecontent 707. As indicates by solid arrow 702, control object 705“applies to” content object (property) 703. As shown in this example,rule 704 can specify that protection processes, for example CGMA or theMatsushita data scrambling process, be applied, and can designate, byexternal reference 709 contained in rule 704, data scramblinginformation 710 to be used in carrying out the protection scheme. Theshorthand “do CGMA” description in rule 704 indicates that the rulerequires that the standard CGMA protection scheme used for content onDVD media is to be used in conjunction with video title content 707, buta different example could specify arbitrary other rules in controlobject 705 in addition to or instead of the “do CGMA” rule, includingother standard DVD protection mechanisms such as the Matsushita datascrambling scheme and/or other rights management mechanisms. Externalreference 709 permits rule 704 to be based on protection information 710that is stored and manipulated in the same format and manner as for aDVD medium that does not incorporate container 701 and/or protectioninformation that is meaningful only in the context of processingcontainer 701.

FIG. 8 shows a example of a DVD medium 800 containing a “standard”secure container 801. In this example, the “standard” container providesall of the functionality (if desired) of the FIG. 7 container, but mayoffer additional and/or more extensive rights management and/or contentuse capabilities than available on the “DVD only” container (e.g., thecapacity to operate with various different platforms that use securenodes).

FIG. 9 shows a more complex example of DVD medium 800 having a standardcontainer 901 that provides all of the functionality (if desired) of theFIG. 7 container, and that can function in concert with other standardcontainers 902 located either on the same DVD medium or imported fromanother remote secure node or network. In this example, standardcontainer 902 may include a supplementary control object 904 whichapplies to content object 903 of standard container 901. Also in thisexample, container 902 may provide an additional rule(s) such as, forexample, a rule permitting/extending rights to allow up to a certainnumber (e.g., five) copies of the content available on DVD 900. Thisarrangement, for example, provides added flexibility in controllingrights management of DVD content between multiple platforms via accessthrough “backchannels” such as via a set-top box or other hardwarehaving bi-directional communications capabilities with other networks orcomputers.

Additional Use of a DVD Disk with a Secure Container

FIG. 10 illustrates the use of a “new” DVD disk—i.e., one that includesa special DVD secure container in the medium. This container may, in oneexample, be used or two possible use scenarios: a first situation inwhich the disk is used on an “old” player (DVD appliance, i.e., a DVDappliance that is not equipped with a secure node to provide rightsmanagement in accordance with the present invention; and a secondsituation in which the disk is used on a “new” player—i.e., a DVDappliance which is equipped with a secure node to provide rightsmanagement in accordance with the present invention. In this example, asecure node within the “new” player is configured with the necessarycapabilities to process other copy protection information such as, forexample, CGMA control codes and data scrambling formats developed andproposed principally by Matsushita.

For example, in the situation shown in FIG. 10, the “new” player (whichincorporates a secure node in accordance with the present invention) canrecognize the presence of a secure container on the disk. The player maythen load the special DVD secure container from the disk into theresident secure node. The secure node opens the container, andimplements and/or enforces appropriate rules and usage consequencesassociated with the content by applying rules from the control object.These rules are extremely flexible. In one example, the rules may, forexample, call for use of other protection mechanisms (such as, forexample, CGMA protection codes and Matsushita data scrambling) which canbe found in the content (or property) portion of the container.

In another example shown in FIG. 10, the special DVD container on thedisk still allows the “old” player to use to a predetermined limitedamount content material which may be used in accordance withconventional practices.

Example Use of a DVD Disk with No Secure Container

Referring now to FIG. 11, a further scenario is discussed. FIG. 11illustrates use of an “old” DVD disk with two possible use examples: afirst example in which the disk is used on an “old” player—i.e., a DVDappliance that is not equipped with a secure node for providing rightsmanagement in accordance with the present invention—and a second examplein which the disk is used on a “new” player (i.e., equipped with asecure node).

In the first case, the “old” player will play the DVD content in aconventional manner. In the second scenario, the “new” player willrecognize that the disk does not have a container stored in the medium.It therefore constructs a “virtual” container in resident memory of theappliance. To do this, it constructs a container content object, andalso constructs a control object containing the appropriate rules. Inone particular example, the only applicable rule it need apply is to “doCGMA”—but in other examples, additional and/or different rules could beemployed. The virtual container is then provided to the secure nodewithin the “new” player for implementing management of use rights inaccordance with the present invention. Although not shown in FIGS. 10and 11, use of “external references” may also be provided in bothvirtual and non-virtual containers used in the DVD context.

Example Illustrative Arrangements for Sharing, Brokering and CombiningRights when Operating in at Least Occasionally Connected Scenarios

As described above, the rights management resources of several differentdevices and/or other systems can be flexibly combined in diverse logicaland/or physical relationships, resulting for example in greater and/ordiffering rights. Such rights management resource combinations can beeffected through connection to one or more remote rights authorities.FIGS. 12-14 show some non-limiting examples of how rights authoritiescan be used in various contexts.

For example, FIG. 12 shows a rights authority broker 1000 connected to alocal area network (LAN) 1002. LAN 1002 may connect to wide area networkif desired. LAN 1002 provides connectivity between rights authoritybroker 1000 and any number of appliances such as for example a player50, a personal computer 60, a CD “tower” type server 1004. In theexample shown, LAN 1002 includes a modem pool (and/or network protocolserver, not shown) 1006 that allows a laptop computer 1008 to connect tothe rights authority broker 1000 via dial-up lines 1010. Alternatively,laptop 1008 could communicate with rights authority broker 1000 usingother network and/or communication means, such as the Internet and/orother Wide Area Networks (WANs). A disk player 50A may be coupled tolaptop 1008 at the laptop location. In accordance with the teachingsabove, any or all of devices shown in FIG. 12 may include one or moresecure nodes 72.

Rights authority broker 1000 may act as an arbiter and/or negotiator ofrights. For example, laptop 1008 and associated player 50A may have onlylimited usage rights when operating in a stand-alone configuration.However, when laptop 1008 connects to rights authority broker 1000 viamodem pool 1006 and LAN 1002 and/or by other communication means, thelaptop may acquire different and/or expanded rights to use disks 100(e.g., availability of different content portions, different pricing,different extraction and/or redistribution rights, etc.) Similarly,player 50, equipment 60 and equipment 1004 may be provided with anenhanced and/or different set of disk usage rights through communicationwith rights authority broker 1000 over LAN 1002. Communication to andfrom rights authority broker 1000 is preferably secured through use ofcontainers of the type disclosed in the above-referenced Ginter et al.patent specification.

FIG. 13 shows another example use of a rights authority broker 1000within a home environment. In this example, the laptop computer 1008 maybe connected to a home-based rights authority broker 1000 via a highspeed serial IEEE 1394 bus and/or by other electronic communicationmeans. In addition, rights authority broker 1000 can connect with any orall of:

-   -   a high definition television 1100,    -   one or more loudspeakers 1102 or other audio transducers,    -   one or more personal computers 60,    -   one or more set-top boxes 1030,    -   one or more disk players 50,    -   one or more other rights authority brokers 1000A-1000N and    -   any other home or consumer equipment or appliances.

Any or all of the equipment listed above may include a secure node 72.

FIG. 14 shows another example use of a rights authority broker 1000. Inthis example, rights authority broker 1000 is connected to a network1020 such as a LAN, a WAN, the Internet, etc. Network 1020 may provideconnectivity between rights authority broker 1000 and any or all of thefollowing equipment:

-   -   one or more connected or occasionally connected disk players        50A, 50B;    -   one more networked computers 1022;    -   one or more disk reader towers/servers 1004;    -   one or more laptop computers 1008;    -   one or more Commerce Utility Systems such as a rights and        permissions clearinghouse 1024 (see Shear et al., “Trusted        Infrastructure . . . ” specification referenced above);    -   one or more satellite or other communications uplinks 1026;    -   one or more cable television head-ends 1028;    -   one or more set-top boxes 1030 (which may be connected to        satellite downlinks 1032 and/or disk players 50C);    -   one or more personal computer equipment 60;    -   one or more portable disk players 1034 (which may be connected        through other equipment, directly, and/or occasionally        unconnected;    -   one or more other rights authority brokers 1000A-1000N; and    -   any other desired equipment.

Any or all of the above-mentioned equipment may include one or moresecure nodes 72. Rights authority broker 1000 can distribute and/orcombine rights for use by any or all of the other components shown inFIG. 14. For example, rights authority broker 100 can supply furthersecure rights management resources to equipment connected to the brokervia network 1020. Multiple equipment shown in FIG. 14 can participateand work together in a permanently or temporarily connected network 1020to share the rights management for a single node. Rights associated withparties and/or groups using and/or controlling such multiple devicesand/or other systems can be employed according to underlying rightsrelated rules and controls. As one example, rights available through acorporate executive's laptop computer 1008 might be combined with orsubstituted for, in some manner, the rights of one or more subordinatecorporate employees when their computing or other devices 60 are coupledto network 1020 in a temporary networking relationship. In general, thisaspect of the invention allows distributed rights management for DVD orotherwise packaged and delivered content that is protected by adistributed, peer-to-peer rights management. Such a distributed rightsmanagement can operate whether the DVD appliance or other content usagedevice is participating in a permanently or temporarily connectednetwork 1020, and whether or not the relationships among the devicesand/or other systems participating in the distributed rights managementarrangement are relating temporarily or have a more permanent operatingrelationship.

For example, laptop computer 1008 may have different rights availabledepending on the context in which that device is operating. For example,in a general corporate environment such as shown in FIG. 12, the laptop1008 may have one set of rights. However, the same laptop 1008 may begiven a different set of rights when connected to a more general network1020 in collaboration with specified individuals and/or groups in acorporation. The same laptop 1008 may be given a still different set ofrights when connected in a general home environment such as shown byexample in FIG. 13. The same laptop 1008 could be given still differentrights when connected in still other environments such as, by way ofnon-limiting example:

-   -   a home environment in collaboration with specified individuals        and/or groups,    -   a retail environment,    -   a classroom setting as a student,    -   a classroom setting in collaboration with an instructor, in a        library environment,    -   on a factory floor,    -   on a factory floor in collaboration with equipment enabled to        perform proprietary functions, and so on.

As one more particular example, coupling a limited resource devicearrangement such as a DVD appliance 50 shown in FIG. 14 with aninexpensive network computer (NC) 1022 may allow an augmenting (orreplacing) of rights management capabilities and/or specific rights ofparties and/or devices by permitting rights management to be a result ofa combination of some or all of the rights and/or rights managementcapabilities of the DVD appliance and those of an Network or PersonalComputer (NC or PC). Such rights may be further augmented, or otherwisemodified or replaced by the availability of rights managementcapabilities provided by a trusted (secure) remote network rightsauthority 1000.

The same device, in this example a DVD appliance 50, can thus supportdifferent arrays, e.g., degrees, of rights management capabilities, indisconnected and connected arrangements and may further allow availablerights to result from the availability of rights and/or rightsmanagement capabilities resulting from the combination of rightsmanagement devices and/or other systems. This may include one or morecombinations of some or all of the rights available through the use of a“less” secure and/or resource poor device or system which are augmented,replaced, or otherwise modified through connection with a device orsystem that is “more” or “differently” secure and/or resource richand/or possesses differing or different rights, wherein such connectionemploys rights and/or management capabilities of either and/or bothdevices as defined by rights related rules and controls that describe ashared rights management arrangement.

In the latter case, connectivity to a logically and/or physically remoterights management capability can expand (by, for example, increasing theavailable secure rights management resources) and/or change thecharacter of the rights available to the user of the DVD appliance 50 ora DVD appliance when such device is coupled with an NC 1022, personalcomputer 60, and/or remote rights authority 1000. In this rightsaugmentation scenario, additional content portions may be available,pricing may change, redistribution rights may change (e.g., beexpanded), content extraction rights may be increased, etc.

Such “networking rights management” can allow for a combination ofrights management resources of plural devices and/or other systems indiverse logical and/or physical relationships, resulting in eithergreater or differing rights through the enhanced resources provided byconnectivity with one or more “remote” rights authorities. Further,while providing for increased and/or differing rights managementcapability and/or rights, such a connectivity based rights managementarrangement can support multi-locational content availability, byproviding for seamless integration of remotely available content, forexample, content stored in remote, Internet world wide web-based,database supported content repositories, with locally available contenton one or more DVD discs 100.

In this instance, a user may experience not only increased or differingrights but may be able to use to both local DVD content andsupplementing content (i.e., content that is more current from a timestandpoint, more costly, more diverse, or complementary in some otherfashion, etc.). In such an instance, a DVD appliance 50 and/or a user ofa DVD appliance (or other device or system connected to such appliance)may have the same rights, differing, and/or different rights applied tolocally and remotely available content, and portions of local andremotely available content may themselves be subject to differing ordifferent rights when used by a user and/or appliance. This arrangementcan support an overall, profound increase in user content opportunitiesthat are seamlessly integrated and efficiently available to users in asingle content searching and/or usage activity.

Such a rights augmenting remote authority 1000 may be directly coupledto a DVD appliance 50 and/or other device by modem (see item 1006 inFIG. 12) and/or directly or indirectly coupled through the use of an I/Ointerface, such as a serial 1394 compatible controller (e.g., bycommunicating between a 1394 enabled DVD appliance and a local personalcomputer that functions as a smart synchronous or asynchronousinformation communications interface to such one or more remoteauthorities, including a local PC 60 or NC 1022 that serves as a localrights management authority augmenting and/or supplying the rightsmanagement in a DVD appliance) and/or by other digital communicationmeans such as wired and/or wireless network connections.

Rights provided to, purchased, or otherwise acquired by a participantand/or participant DVD appliance 50 or other system can be exchangedamong such peer-to-peer relating devices and/or other systems so long asthey participate in a permanently or temporarily connected network.1020. In such a case, rights may be bartered, sold, for currency,otherwise exchanged for value, and/or loaned so long as such devicesand/or other systems participate in a rights management system, forexample, such as the Virtual Distribution Environment described inGinter, et al., and employ rights transfer and other rights managementcapabilities described therein. For example, this aspect of the presentinvention allows parties to exchange games or movies in which they havepurchased rights. Continuing the example, an individual might buy someof a neighbor's usage rights to watch a movie, or transfer to anotherparty credit received from a game publisher for the successfulsuperdistribution of the game to several acquaintances, where suchcredit is transferred (exchanged) to a friend to buy some of thefriend's rights to play a different game a certain number of times, etc.

Example Virtual Rights Process

FIGS. 15A-15C shows an example of a process in which rights managementcomponents of two or more appliances or other devices establish avirtual rights machine environment associated with an event, operationand/or other action. The process may be initiated in a number of ways.In one example, an appliance user (and/or computer software acting onbehalf of a user, group of users, and/or automated system for performingactions) performs an action with a first appliance (e.g., requesting theappliance to display the contents of a secure container, extract aportion of a content element, run a protected computer program,authorize a work flow process step, initiate an operation on a machinetool, play a song, etc.) that results in the activation of a rightsmanagement component associated with such first appliance (FIG. 15A,block 1500). In other examples, the process may get started in responseto an automatically generated event (e.g., based on a time of day or thelike), a random or pseudo-random event, and/or a combination of suchevents with a user-initiated event.

Once the process begins, a rights management component such as a securenode 72 (for example, an SPE and/or HPE as disclosed in Ginter et al.)determines which rights associated with such first appliance, if any,the user has available with respect to such an action (FIG. 15A, block1502). The rights management component also determines the coordinatingand/or cooperating rights associated with such an action available tothe user located in whole or in part on other appliances (FIG. 15A,block 1502).

In one example, these steps may be performed by securely delivering arequest to a rights authority server 1000 that identifies the firstappliance, the nature of the proposed action, and other informationrequired or desired by such a rights authority server. Such otherinformation may include, for example:

-   -   the date and time of the request,    -   the identity of the user,    -   the nature of the network connection,    -   the acceptable latency of a response, etc.), and/or    -   any other information.

In response to such a request, the rights authority server 1000 mayreturn a list (or other appropriate structure) to the first appliance.This list may, for example, contain the identities of other appliancesthat do, or may, have rights and/or rights related information relevantto such a proposed action.

In another embodiment, the first appliance may communicate (e.g., poll)a network with requests to other appliances that do, or may, have rightsand/or rights related information relevant to such proposed action.Polling may be desirable in cases where the number of appliances isrelatively small and/or changes infrequently. Polling may also beuseful, for example, in cases where functions of a rights authorityserver 1000 are distributed across several appliances.

The rights management component associated with the first appliance maythen, in this example, check the security level(s) (and/or types) ofdevices and/or users of other appliances that do, or may, have rightsand/or rights related information relevant to such an action (FIG. 15A,block 1506). This step may, for example, be performed in accordance withthe security level(s) and/or device type management techniques disclosedin Sibert and Van Wie, and the user rights, secure name services andsecure communications techniques disclosed in Ginter et al. Deviceand/or user security level determination may be based, for example, inwhole or in part on device and/or user class.

The rights management component may then make a decision as to whethereach of the other appliance devices and/or users have a sufficientsecurity level to cooperate in forming the set of rights and/or rightsrelated information associated with such an action (FIG. 15A, block1508). As each appliance is evaluated, some devices and/or users mayhave sufficient security levels, and others may not. In this example, ifa sufficient security level is not available (“No” exit to decisionblock 1508), the rights management component may create an audit record(for example, an audit record of the form disclosed in Ginter et al.)(FIG. 15A, block 1510), and may end the process (FIG. 15A, block 1512).Such audit record may be for either immediate transmission to aresponsible authority and/or for local storage and later transmission,for example. The audit recording step may include, as one example,incrementing a counter that records security level failures (such as thecounters associated with summary services in Ginter et al.)

If the devices and/or users provide the requisite security level (“Yes”exit to block 1508), the rights management component in this example maymake a further determination based on the device and/or user class(es)and/or other configuration and/or characteristics (FIG. 15B, block1514). Such determination may be based on any number of factors such asfor example:

-   -   the device is accessible only through a network interface that        has insufficient throughput;    -   devices in such a class typically have insufficient resources to        perform the action, or relevant portion of the action, at all or        with acceptable performance, quality, or other characteristics;    -   the user class is inappropriate due to various conditions (e.g.,        age, security clearance, citizenship, jurisdiction, or any other        class-based or other user characteristic); and/or    -   other factors.

In one example, decision block 1514 may be performed in part bypresenting a choice to the user that the user declines.

If processes within the rights management component determines that suchdevice and/or user class(es) are inappropriate (“No” exit to block1514), the rights management component may write an audit record ifrequired or desired (FIG. 15B, block 1516) and the process may end (FIG.15B, block 1518).

If, on the other hand, the rights management component determines thatthe device and/or user classes are appropriate to proceed (“Yes” exit toblock 1514), the rights management component may determine the rightsand resources available for performing the action on the first applianceand the other appliances acting together (FIG. 15B, block 1520). Thisstep may be performed, for example, using any or all of the methodprocessing techniques disclosed in Ginter et al. For example, methodfunctions may include event processing capabilities that formulate arequest to each relevant appliance that describes, in whole or in part,information related to the action, or portion of the action, potentiallysuitable for processing, in whole or in part, by such appliance. In thisexample, such requests, and associated responses, may be managed usingthe reciprocal method techniques disclosed in Ginter et al. If suchinteraction requires additional information, or results in ambiguity,the rights management component may, for example, communicate with theuser and allow them to make a choice, such as making a choice amongvarious available, functionally different options, and/or the rightsmanagement component may engage in a negotiation (for example, using thenegotiation techniques disclosed in Ginter et al.) concerning resources,rights and/or rights related information.

The rights management component next determines whether there aresufficient rights and/or resources available to perform the requestedaction (FIG. 15B, decision block 1522). If there are insufficient rightsand/or resources available to perform the action (“No” exit to block1522), the rights management component may write an audit record (FIG.15B, block 1524), and end the process (FIG. 15B, block 1526).

In this example, if sufficient rights and/or resources are available(“Yes” exit to block 1522), the rights management component may make adecision regarding whether additional events should be processed inorder to complete the overall action (FIG. 15B, block 1528). Forexample, it may not be desirable to perform only part of the overallaction if the necessary rights and/or resources are not available tocomplete the action. If more events are necessary and/or desired (“Yes”exit to block 1528), the rights management component may repeat blocks1520, 1522 (and potentially perform blocks 1524, 1526) for each suchevent.

If sufficient rights and/or resources are available for each of theevents (“No” exit to block 1528), the rights management component may,if desired or required, present a user with a choice concerning theavailable alternatives for rights and/or resources for performing theaction (FIG. 15B, block 1530). Alternatively and/or in addition, therights management component may rely on user preference information(and/or defaults) to “automatically” make such a determination on behalfof the user (for example, based on the overall cost, performance,quality, etc.). In another embodiment, the user's class, or classes, maybe used to filter or otherwise aid in selecting among available options.In still another embodiment, artificial intelligence (including, forexample, expert systems techniques) may be used to aid in the selectionamong alternatives. In another embodiment, a mixture of any or all ofthe foregoing (and/or other) techniques may be used in the selectionprocess.

If there are no acceptable alternatives for rights and/or resources, orbecause of other negative aspects of the selection process (e.g., a userpresses a “Cancel” button in a graphical user interface, a userinteraction process exceeds the available time to make such a selection,etc.), (“No” exit to block 1530) the rights management component maywrite an audit record (FIG. 15B, block 1532), and end the process (FIG.15B, block 1534).

On the other hand, if a selection process identifies one or moreacceptable sets of rights and/or resources for performing the action andthe decision to proceed is affirmative (“Yes” exit to block 1530), therights management component may perform the proposed action using thefirst appliance alone or in combination with any additional appliances(e.g., a rights authority 1000, or any other connected appliance) basedon the selected rights and/or resources (FIG. 15C, block 1536). Suchcooperative implementation of the proposed actions may include forexample:

-   -   performing some or all of the action with the first appliance;    -   performing some or all of the action with one or more appliances        other than the first appliance (e.g., a rights authority 1000        and/or some other appliance);    -   performing part of the action with the first appliance and part        of the action with one or more other appliances; or    -   any combination of these.

For example, this step may be performed using the event processingtechniques disclosed in Ginter et al.

As one illustrative example, the first appliance may have all of theresources necessary to perform a particular task (e.g., read certaininformation from an optical disk), but may lack the rights necessary todo so. In such an instance, the first appliance may obtain theadditional rights it requires to perform the task through the stepsdescribed above. In another illustrative example, the first appliancemay have all of the rights required to perform a particular task, but itmay not have the resources to do so. For example, the first appliancemay not have sufficient hardware and/or software resources available toit for accessing, processing or otherwise using information in certainways. In this example, step 1536 may be performed in whole or in part bysome other appliance or appliances based in whole or in part on rightssupplied by the first appliance. In still another example, the firstappliance may lack both rights and resources necessary to perform acertain action, and may rely on one or more additional appliances tosupply such resources and rights.

In this example, the rights management component may, upon completion ofthe action, write one or more audit records (FIG. 15C, block 1538), andthe process may end (FIG. 15C, block 1540).

An arrangement has been described which adequately satisfies currententertainment industry requirements for a low cost, mass-producibledigital video disk or other high capacity disc copy protection schemebut which also provides enhanced, extensible rights managementcapabilities for more advanced and/or secure platforms and forcooperative rights management between devices of lessor, greater, and/ordiffering rights resources. While the invention has been described inconnection with what is presently considered to be the most practicaland preferred embodiment, it is to be understood that the invention isnot to be limited to the disclosed embodiment, but on the contrary, isintended to cover various modifications and equivalent arrangementsincluded within the spirit and scope of the invention.

We claim:
 1. A storage medium comprising: a first property; a secondproperty; a first metadata block, the first metadata block for assistingin usage of the first property; a second metadata block, the secondmetadata block for assisting in usage of the second property; a controlset for governing use of at least the second property, the control setcomprising a first subset of one or more controls for use by a firstclass of electronic appliances, and a second subset of one or morecontrols for use by a second class of electronic appliances; and anencrypted key block comprising one or more cryptographic keys for use indecrypting at least the second property.
 2. The storage medium of claim1, in which the first property and the first metadata block are inunprotected form, and the second property and the second metadata blockare in protected form.
 3. The storage medium of claim 1, in which thefirst metadata block includes metadata adapted to enable usage of anabbreviated version of the second property.
 4. The storage medium ofclaim 3, in which the second metadata block includes metadata adapted toenable usage of a complete version of the second property.
 5. Thestorage medium of claim 4, in which the first metadata block and thesecond metadata block include frame playback sequence data.
 6. Thestorage medium of claim 1, further comprising one or more keys fordecrypting the encrypted key block.
 7. The storage medium of claim 1,further comprising identification information of the second property. 8.The storage medium of claim 1, in which the control set includes acontrol that prohibits copying of the second property.
 9. The storagemedium of claim 1, in which the control set includes a control thatallows the second property to be copied only once.
 10. The storagemedium of claim 1, in which the control set includes a control thatallows the second property to be copied multiple times.
 11. The storagemedium of claim 1, in which the control set includes a control thatallows a user or a class of users to play the second property.
 12. Thestorage medium of claim 1, in which the control set includes a controlthat allows a user or a class of users to extract or excerpt at least apart of the second property.